Data Deletion Policy

DiffChecker Pro is committed to respecting your right to control your personal data. This Data Deletion Policy explains your right to request deletion of your personal information, what data will be deleted, what data must be retained for legal reasons, and how long the process takes. This policy applies to all users worldwide, with specific provisions for users in the European Economic Area (EEA) and California.

This policy should be read alongside our Privacy Policy, which describes in full how we collect and use personal data.

1. Your Right to Erasure

1.1 GDPR — Right to Erasure (Article 17)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right under Article 17 of the General Data Protection Regulation (GDPR) to request that we erase your personal data without undue delay where one or more of the following grounds apply:

• The personal data is no longer necessary in relation to the purposes for which it was collected or processed.
• You withdraw the consent on which processing is based and there is no other legal ground for processing.
• You object to processing under Article 21 GDPR and there are no overriding legitimate grounds for processing.
• The personal data has been unlawfully processed.
• The personal data must be erased to comply with a legal obligation under EU or Member State law.

1.2 CCPA — Right to Delete

California residents have the right under the California Consumer Privacy Act (CCPA), as amended by the CPRA, to request that businesses delete personal information collected from them. Upon receiving a verifiable consumer request, we will delete your personal information from our records and direct our service providers to delete your personal information from their records, subject to the exceptions set out in Section 3 of this policy.

1.3 Global Users

Even if you are not located in the EEA or California, we honour reasonable data deletion requests from all users worldwide as a matter of our commitment to user privacy. The same process and timeline apply.

2. What Data Will Be Deleted

Upon a valid and verified deletion request, we will delete the following categories of personal data from our active systems:

We will also instruct our data sub-processors (including email providers and analytics platforms) to delete personal data we have shared with them, where technically and contractually feasible.

3. Data We Cannot Delete (Retention Exceptions)

Certain data must be retained even after a deletion request, as permitted or required by applicable law under GDPR Article 17(3) and corresponding CCPA exceptions:

• Financial and billing records: transaction records, invoices, and payment history are retained for a minimum of 7 years to comply with tax and accounting regulations (e.g., UK Companies Act 2006, US IRS requirements). These records contain your email address and payment amount but not full payment card details (held only by Stripe).
• Legal hold data: if your account or data is subject to a pending legal claim, regulatory investigation, or court order, we are legally obligated to preserve the relevant data until the matter is resolved.
• Aggregated, anonymised analytics: statistical data that has been irreversibly anonymised (i.e., cannot be re-linked to you) is not considered personal data and is not subject to deletion. For example, daily active user counts or feature usage percentages.
• Fraud and abuse records: if your account was terminated for violations of our Terms of Service, we may retain a minimal record (e.g., hashed email address and termination reason) for fraud prevention and to enforce our ban, as permitted by GDPR Article 17(3)(b).
• Security logs: server access logs (containing IP addresses) are retained for 90 days from creation for security monitoring purposes. These will be deleted at the end of the 90-day retention period even without a separate deletion request.
• Backup media: encrypted backup copies of our database may contain your data for up to 30 days after your active account data is deleted. These backups are encrypted, access-controlled, and are overwritten on a rolling 30-day schedule.

We will clearly communicate what data has been deleted and what has been retained (and why) when we respond to your request.

4. How to Request Data Deletion

You have two methods to submit a data deletion request:

Option A — Self-Service (Fastest)

Log in to your account, navigate to Account Settings → Privacy → Delete My Account. Follow the confirmation prompts. Account deletion via this method begins immediately and completes within 30 days. You will receive an email confirmation when the process is complete.

Option B — Email Request

Send an email to legal@diffchecker.pro with the subject line: "Data Deletion Request — [your account email]". Please include:

1. Your full name as registered on your account.
2. The email address associated with your DiffChecker Pro account.
3. A description of the data you wish to have deleted (e.g., "all personal data" or specific categories).
4. For GDPR requests: your country of residence.
5. For CCPA requests: a statement that you are a California resident.

We will verify your identity before processing the request (see Section 5).

5. Identity Verification

To protect your personal data from unauthorised deletion requests, we must verify your identity before fulfilling a deletion request. For email-based requests, we will:

1. Send a verification email to the address associated with your account containing a one-time confirmation link.
2. For accounts using OAuth (Google/GitHub sign-in), we may ask you to confirm the linked identity provider.
3. For requests where the account email is no longer accessible, we may require additional verification (e.g., last 4 digits of the card used for billing, recent subscription details).

Under the CCPA, we are permitted to deny requests we cannot verify, and we may request only the information reasonably necessary to verify your identity. We will not use information provided for verification for any purpose other than verifying your identity in connection with your deletion request.

6. Timeline

Under GDPR, we must respond within 30 days of receiving a verified request (extendable by an additional 60 days for complex cases, with notification). Under CCPA, we must respond within 45 days (extendable once by another 45 days with notice). We aim to complete all requests within 30 days.

7. Consequences of Deletion

Please be aware of the following consequences before submitting a deletion request:

• Your account will be permanently closed and cannot be recovered.
• All saved diffs, shared links, and comparison history will be permanently deleted and cannot be retrieved.
• If you have an active paid subscription, it will be cancelled immediately. No partial refund is issued for the remaining period unless you are within the 7-day guarantee window (see our Refund Policy).
• Shared links you created will become inactive.
• You may create a new account in the future using the same email address, but no previous data will be associated with it.

8. Right to Lodge a Complaint

If you are an EEA or UK resident and believe we have not adequately fulfilled your data deletion request or otherwise violated your data protection rights, you have the right to lodge a complaint with your local supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission — dataprotection.ie
• Germany: Federal Commissioner for Data Protection (BfDI)
• France: Commission Nationale de l'Informatique et des Libertés (CNIL)

9. Contact