infra/docs/automated-account-deletion.md

# Automated account deletion

Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts:

1. Without verified email: should be deleted after 30 days without being activated
2. With verified email: should be deleted after 2 years of inactivity

Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use:

* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user
* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok
* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen`
* Keycloak 
* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created
auth: add last login to keycloak, add docs 2024-04-28 00:44:14 +00:00			`# Automated account deletion`

			`Per GDPR legislation, accounts should be automatically deleted after a period of inactivity. We discern between two different types of accounts:`

			`1. Without verified email: should be deleted after 30 days without being activated`
			`2. With verified email: should be deleted after 2 years of inactivity`

			`Some services hold on to a session for a very long time. We'll have to query their APIs to see if the account is still in use:`

			`* Matrix via the admin api: https://matrix-org.github.io/synapse/v1.48/admin_api/user_admin_api.html#query-current-sessions-for-a-user`
			`* Mastodon via the admin api: https://docs.joinmastodon.org/methods/admin/accounts/#200-ok`
			* Nextcloud only gives the last login, not the last active time like a sync via `nextcloud-occ user:lastseen`
			`* Keycloak`
			`* We can ignore Forgejo, since the sessions there are valid for a maximum of one year, regardless of how they got created`