Delete Account

Schedule account deletion with a 30-day GDPR grace period.

Instead of immediately hard-deleting, this sets deletion_scheduled_at = now()+30 days, revokes all active sessions (forces re-authentication), and returns 202. A Celery Beat task runs daily and performs the actual hard-delete once the grace period expires. Users can cancel by re-authenticating and calling POST /auth/account/cancel-deletion.

Cascade behaviour (applied at hard-delete time):

• Workspaces where user is the sole member are deleted entirely (including Stripe customer).
• Workspaces where user is the sole owner but has other members → 409 (transfer first).
• Workspaces where there are other owners → user’s membership removed; workspace survives.