Data Deletion
This page explains how to request deletion of your personal data from Graft. It satisfies the data deletion requirement of the Meta Platform Terms and the right to erasure under UK GDPR Article 17.
TL;DR
Email hello@graftassistant.co.uk with the subject line "Data deletion request" and we will delete your data within 30 days, normally within 7 days.
Who this applies to
This page covers two categories of person:
- Graft account holders — tradespeople and their teams who have signed up for Graft directly.
- End-users whose messages have been processed by Graft — for example, an Instagram user who has DM'd a tradesperson that uses Graft. We process your message content on the tradesperson's behalf to display, classify, and help them reply.
Both categories have the right to request deletion. The process is the same.
How to request deletion
Option A — Email us
Send an email to hello@graftassistant.co.uk with: - Subject: Data deletion request - Your Graft account email (if you have one), or - The Instagram / Facebook handle you used to message a tradesperson, and - A brief sentence confirming you want your data deleted.
We will reply within 7 days confirming the deletion is complete, or earlier if it has already been actioned.
Option B — Delete from inside the app (account holders)
If you are a Graft account holder: 1. Open the Graft app → Settings → Account. 2. Tap Delete my account. 3. Confirm. You'll be asked to type "DELETE" to confirm. 4. Your account, all connected platform tokens, all message threads stored by Graft, and all derived data are deleted within 24 hours.
Option C — Revoke at the source platform
If you connected Instagram or Facebook to Graft and just want to revoke our access (without deleting your Graft account): - Instagram: Settings and privacy → Apps and websites → Active → Graft → Remove. - Facebook: Settings → Business Integrations → Graft → Remove.
When you revoke access at the source, we receive a Meta deauthorization callback within minutes and delete the associated tokens and any cached message content within 24 hours.
What gets deleted
When you complete a deletion request, we delete:
- Your Graft account record (name, email, password hash, business details).
- All access tokens we hold for connected platforms (Instagram, Facebook, Gmail, Brevo, etc.).
- All message threads, individual messages, sender metadata, and AI-generated draft replies stored on your behalf.
- All product usage data tied to your account.
- All marketing email subscriptions.
What we may retain (and why)
We may retain a minimal set of records after deletion where the law requires us to:
- Billing records and invoices — retained for 7 years under HMRC rules. These contain your name, billing email, and invoice line items only — never message content.
- Audit logs of the deletion itself — kept for 12 months so we can prove compliance if asked. This is a record of "user X requested deletion on date Y", not a copy of the deleted data.
- Anonymised analytics — aggregate counts (e.g. "150 sign-ups in March") that cannot be tied back to any individual.
Timeline
- Account-holder deletion via the app: complete within 24 hours.
- Email-based deletion requests: confirmed within 7 days, complete within 30 days.
- Meta deauthorization callback: processed within 24 hours of receipt.
Meta-specific deletion endpoint (for Meta App Review)
For the Meta Instagram and Facebook apps, our deauthorization callback URL is:
POST https://api.graftassistant.co.uk/webhooks/meta/deauthorize
When Meta calls this endpoint following a user revoking app access, we: 1. Verify the signed request. 2. Identify the affected Instagram or Facebook user ID. 3. Delete all access tokens, cached messages, and derived data linked to that user ID within 24 hours. 4. Return HTTP 200 with a confirmation code.
Note: this endpoint is operational once the Graft backend is in production. During development, deletion requests are handled via the email channel above.
Contact
Email: hello@graftassistant.co.uk Subject for fastest handling: "Data deletion request"
If you are unhappy with our response you have the right to complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.