Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GDPR Driven Account Deletion


Use a workflow on this page when a user requests the deletion of their account either through a Zendesk ticket or via an email to


Requests received through Zendesk

Note: This workflow only applies if the user has not accepted the revised terms of service. If they have accepted it, they have access to and can delete their account and retrieve their data themselves.

If a request is received through Zendesk as a ticket:

  1. Apply the "Account::GDPR Deletion -" Macro

This macro will simply advise the user as follows and close the ticket:


We understand that you want to completely remove your account.

Due to the complexity of servicing these requests, we're asking our users to please email ``.

Please ensure that you:
- send the email from the address associated with your account
- include the GitLab username you'd like removed

Please note that:
- in many circumstances, we will not be able to provide a full export of associated repositories
- any groups that you're a sole owner in will be deleted, along with any projects contained therein

Once you've submitted your request, we'll have the various teams remove your associated data and send you final confirmation when deletion is complete.

Please also note, that if you have accepted the updated ToS we will **not** take action on this request and redirect you to

From there, you can delete your account and associated data yourself.

Thanks for your understanding.

Requests received through

Note: The following snippet is for reference only. Prefer the issue template in the gdpr-request tracker.

When creating the issue, please make sure to include the regional Data Protection Officer for visibility.

## Related issue: ___

1. [ ] Support Agent: Impersonate the user to verify the user has **not** accepted the GDPR terms or `TermAgreement.find_by(user_id: User.find_by!(username:'<username>'))`. (If they have accepted: stop and advise them how to delete their account themselves)
1. [ ] Support Agent: Verify that the `username` is associated with the originating email on
1. [ ] Support Agent: Create a new *confidential* issue in the `gdpr-request` issue tracker with the originating email address as the title. 
   - [ ] Copy the contents of this workflow into it.
   - [ ] Link the original issue in the **Related issue** field above
   - [ ] Respond to the original issue with a note indicating that it has been received.
1. [ ] Support Agent: Check in SFDC for any records related to this email address and have the account owner remove them. If there are none, remove ~SFDC-removal
   - [ ] Support Agent: Once you've contacted the account owner, add them as an assignee in this issue
   - [ ] Account owner: remove all records in SFDC pertaining to this account, when finished, remove the ~SFDC-removal tag
1. [ ] JJ: Ensure that this email address is removed from all mailing lists and deleted from the database completely. Remove the ~email-list-removal tag.
1. [ ] Support Agent: Tag a ZD admin to ensure that this email address (and associated tickets) are removed from ZenDesk
   - [ ] ZD Admin: delete all user data in ZD and remove ~ZD-removal
1. [ ] Support Agent: If the submitter has requested their data, discuss this with your manager before proceeding
     - [ ] Create an ~"SE Escalation" to initiate an export and wait for it to be completed before proceeding
1. [ ] Support Agent: Delete any groups that are blocking the deletion
1. [ ] Support Agent: Delete the user and remove the ~GitLab-removal tag
1. [ ] Support Agent: If all steps above have been completed, notify the user their request has been completed by commenting on the original issue and closing both this issue and the original. 

/label ~meta-issue ~email-list-removal ~SFDC-removal ~ZD-removal ~GitLab-removal

/assign @darawarde me


Response template for incoming requests


We have received your request for account deletion. We're working on removing any personally identifiable information on and associated systems. You'll receive an additional notice once this process is complete.

Thanks for your understanding,

<Person who owns the request>

Response template for successfully deleted accounts


As requested, your account has been deleted and all personally identifiable information related to your account had been removed.

Please do note that while your personal data has been removed from all production systems, it may persist in backup copies until they expire. backups expire every 2 weeks.

As allowed by the GDPR, we'll also maintain a copy of your original account deletion request sent to `` and this message as a record of our compliance.


<Person who owns the request>