We recently deleted over three million accounts across all our apps. This was the answer to a question we asked ourselves last year: what should we do about accounts that weren’t cancelled, but weren’t used either? Should we keep hold of their data forever?
That felt wrong – we promise to delete data when you cancel your account. Keeping so much data around felt like we weren’t living up to that promise, and felt like a liability, so we decided to do something about it.
We planned to target three groups of accounts, representing 3.2 million across six apps: Campfire, Backpack, Highrise, and the Basecamps (Classic, 2 and 3):
- Paid accounts who stopped payments
- Old trial accounts that never upgraded to a paid account
- Free accounts that haven’t been active in over a year
We organized the project in stages, each focused on a specific group of accounts. We implemented two actions for each:
- A big initial deletion of accounts
- An automatic cancellation workflow to keep the system self-maintained moving forward.
For the initial cancellation of accounts, we had a thorough discussion about whether we should notify them all. We had accounts dating back to 2004, and with the number of accounts we were talking about, even a small percentage of replies would represent a significant extra workload for our support team. Also we worried about former customers thinking we were spamming them. How could we do the right thing, in a manageable way? We decided on some thresholds to try and find the right balance. For example, we decided to cancel without notifying accounts that had been inaccessible for not paying for three years or more.
Then a customer wrote in about his old account (from 2004!). He had stopped paying in 2015 and hadn’t accessed their account since then. And now, almost 5 years later, they wanted to reopen it. When they wrote us, they were beyond the 30-days limit we wait between cancellation and actual data incineration, so despite trying hard, we couldn’t recover their data. They were gracious and understanding, but it was heartbreaking. We decided to change course: we would notify everyone instead. We talked about this in detail in this episode of Rework.
Sending millions of emails made us work hard on making them as self-serving as possible, for our customers, and for our support team. We refined, measured, and refined again in a process that saw us deliver 200 emails per day in December to 28,000 per day when we finished in April. For example, these are the initial and final versions we used for notifying free inactive accounts.
This is the chart for the backlog of free inactive accounts (the glitch in the middle was due to a bug that meant a bunch of emails weren’t sent, so we had to resend):
This project involved many people including Jane Yang leading it, Justin White taking care of the first half of the project and me completing it. We had to review our apps to measure account activity, implement a cancellation workflow that adapted to each product, and prepare our data-deletion queues to work with these kinds of numbers. Our support team handled over 2000 tickets related to this. As a new-hire, the amount of effort Basecamp was willing to put into doing the right thing was impressive. After all, this was not a new feature or product, but the kind of work that often goes unnoticed.
This was an example of the many things we are doing to raise the bar on data privacy. We will share more. Stay tuned!
Thanks for the write-up.
I’m curious how you went about removing data from old backups. Or do you not retain backups once they are X days old?
Hi Dave,
Our data retention for backups is 30 days.
From our cancellation policy: https://basecamp.com/about/policies/cancellation
> We’ll permanently delete your account data within 30 days from our servers and logs, and within 60 days from our backups.
We intentionally don’t store backups beyond that time.
I got a free Highrise account in 2015 to use for contact management as I sold a product (unemployed me) to a select group of customers (employers). It was great.
When I got your series of emails I thought, “Now this is how you do it.” I realized that I was unlikely to use Highrise any time soon and that it didn’t make sense for my dinky account to clutter up your servers, so I let it go.
I’m pleased that what would probably have become a forgotten bit of my data is gone without me having to think about it.
The main question is, if you have a 30 day deletion policy, why did you still have that data after years?
Because these accounts hadn’t canceled. They were just not using Basecamp. The 30 days deletion policy applies to those who explicitly requested a cancelation, which is supported in all our apps.
Given that Basecamp has 3.3M accounts as indicated in the bottom graphic on https://basecamp.com/ I wonder how many remaining Basecamp accounts exist.
The Basecamp user account graph I’m referring too
https://basecamp.com/assets/general/footer-graph-1b92e3d67e5ac33b84ce9127ce3763bb3159efabfc02f820e45bdd8dc22700ae.png
I once asked basecamp’s support if that graph is a gauge (reflects current number of accounts) or a counter (reflects overall signups regardless of opt-outs). The answer was “certainly a counter”. The numbers in this article tend to infer it’s a gauge. If it’s a counter, it means the database contained around 90% of dormant accounts. If it’s a gauge, it means Basecamp earns around 300M$ a month.
I don’t know what to think ;).
$300m per month would be insane! Well-deserved though 🙂
My guess is 50% of 300 000 “active” accounts are paying customers. Average amount of $49 per month & account gives $7,5 million per month in revenue. Well deserved. I hope my numbers are right or otherwise low =D
I am pretty sure one of those accounts was mine. 😂😅