Close your account
This page explains what happens when you close your CRA Evidence account, the 30-day grace period, how recovery works, and which records are retained.
How to close your account
- Go to Settings → Profile.
- Scroll to the Danger Zone at the bottom of the page.
- Click Close Account.
- Confirm with your password (or by typing
CLOSE ACCOUNTif you signed in via Google or another SSO provider).
What happens immediately
The moment you confirm:
- Your access is revoked. You are signed out and cannot log in.
- All active sessions are invalidated on every device.
- Your product-updates email preferences are turned off.
- Your blog newsletter subscription is cancelled.
- If you have an active paid subscription, it is cancelled. Stripe automatically prorates any unused portion of the current billing period and issues a credit or refund per your payment method.
The 30-day grace period
For the 30 days following your closure request, your account is deactivated but your data is preserved. During this window:
- You cannot log in.
- Your organisation's products, SBOMs, documents, and uploads are not accessible.
- No one on your team can use the account.
- Nothing has been deleted yet.
If you change your mind during the 30 days, contact our support team at support@craevidence.com and we will restore your account and reactivate your organisation.
What happens after 30 days
At the end of the 30-day grace period, deletion becomes irreversible.
Personal data (anonymised):
- Your email is replaced with an anonymised value.
- Your name is replaced with "Deleted User".
- Your password hash and OAuth identifiers are removed.
- In historical audit records, your IP address and browser fingerprint are scrubbed.
Organisation data (deleted), if you were the only member:
- All products, versions, and release manifests.
- All SBOMs, component inventories, and scan results.
- Uploaded documents (technical files, certificates, manuals).
- Firmware analyses.
- Signing keys and artefact signatures.
- Team memberships, invitations, and API keys.
What we keep (and why)
Some records survive account closure because we are legally required to retain them:
| Record | Why we keep it | How long |
|---|---|---|
| Invoices and billing records | Spanish Commercial Code (Art. 30) and tax law require retention of accounting records | 6 years |
| Audit and security logs | Required for security investigations, CRA compliance evidence, and regulatory requests. Personal identifiers in these logs are anonymised at the 30-day mark. | Per applicable regulation |
| Anonymised aggregate analytics | Cannot be traced back to you or your organisation | Indefinite |
Everything else associated with your account and organisation is deleted.
If you are the only owner of your organisation
We treat the sole-owner case carefully so that closing your personal account does not accidentally lock out your teammates.
If your organisation has other active members (admins, members, or viewers), we will not let you close your account directly. You must first promote another member to owner, or ask them to take over. Go to Settings → Team to manage ownership.
If you are the only member of your organisation, closing your account also schedules the organisation for deletion. You will see a warning in the confirmation modal that explicitly names the organisation that will be deleted.
Data export before closure
If you need a copy of your data before it is deleted, contact support@craevidence.com within the 30-day grace period. We will provide your SBOMs, documents, and related records in standard formats (JSON, CSV, CycloneDX, SPDX).
Self-service export from the Settings page is planned for a future release.
Questions
Email support@craevidence.com if you have questions about the closure process, retention policy, or recovery.
Help us improve. What was missing or unclear?