Apple has required in-app account deletion for all apps that allow account creation since June 2022 (external apple-guideline-5.1.1). Apps that route users to an email address or external form for deletion are rejected on every submission, not just the first. Beyond the rejection risk, failing to provide in-app deletion violates GDPR Art.17 (right to erasure) and CCPA §1798.105 (right to deletion) — both of which require that deletion be initiatable by the user without unreasonable friction. 'Email us to delete your account' does not satisfy either regulation.
Critical because Apple rejects every submission that creates user accounts without in-app deletion — there is no exception or deferral, and GDPR Art.17 requires erasure be technically possible.
Add a 'Delete Account' option accessible from your settings or account management screen. The complete flow: Settings → Delete Account → confirmation dialog ('This cannot be undone') → API call → sign out + navigate to login.
For Supabase, call the deletion from a secure server-side function — never from the client with a service role key:
// Supabase Edge Function: delete-account.ts
await supabase.from('user_files').delete().eq('user_id', userId);
await supabase.from('posts').delete().eq('user_id', userId);
await supabase.from('profiles').delete().eq('id', userId);
await supabase.auth.admin.deleteUser(userId);
If a 30-day recovery window applies, inform the user clearly before they confirm. The deletion option must be navigable from within the app — no external links or support emails.
ID: app-store-privacy-data.data-handling.in-app-account-deletion
Severity: critical
What to look for: Count all relevant instances and enumerate each. Apple has required in-app account deletion for all apps with account creation since June 2022. Search for delete/deactivate account UI: components or screens with names containing DeleteAccount, delete-account, RemoveAccount, DeactivateAccount, CloseAccount in .tsx, .jsx, .dart, .swift, .kt files. Search for string literals "delete account", "remove account", "deactivate account", "close account", "delete my account" in the source. Check settings screen(s) for a deletion option — look at files named Settings, Account, Profile, AccountSettings, ProfileSettings. Verify the flow: (a) is it accessible from within the app (not requiring users to email support or visit a website)? (b) does it make an API call that actually deletes the account? (c) is there a confirmation step before deletion? Also verify on the backend side: look for DELETE /api/user, DELETE /api/account, deleteUser(), auth.admin.deleteUser() (Supabase), user.delete() (Firebase) or equivalent server-side handler. Note: redirecting to a privacy policy or external form is not sufficient — deletion must be initiatable from within the app.
Pass criteria: The app has an in-app UI for account deletion accessible from settings or account management. At least 1 implementation must be verified. The deletion flow completes (makes an API call, deletes the account server-side). A confirmation step is present before irreversible deletion.
Fail criteria: No in-app account deletion found; deletion requires contacting support by email; deletion option exists in UI but makes no API call (stubbed); no server-side deletion endpoint exists.
Skip (N/A) when: App has no user accounts — no authentication, no account creation, no persistent user profile tied to a user identity.
Detail on fail: "No account deletion UI found in settings screens — users must email support to delete their account, which violates Apple App Store guideline 5.1.1" or "'Delete Account' button exists in src/screens/Settings.tsx but calls a stub function with no API request"
Remediation: Apple will reject apps that create accounts but don't provide in-app deletion. This is enforced on every new submission and update.
supabase.auth.admin.deleteUser(userId) from a secure server-side function (never from the client with service role key)Review the configuration in src/ or app/ directory for implementation patterns.