We recently deleted over three million accounts across all our apps. This was the answer to a question we asked ourselves last year: what should we do about accounts that weren’t cancelled, but weren’t used either? Should we keep hold of their data forever?
That felt wrong – we promise to delete data when you cancel your account. Keeping so much data around felt like we weren’t living up to that promise, and felt like a liability, so we decided to do something about it.
We planned to target three groups of accounts, representing 3.2 million across six apps: Campfire, Backpack, Highrise, and the Basecamps (Classic, 2 and 3):
- Paid accounts who stopped payments
- Old trial accounts that never upgraded to a paid account
- Free accounts that haven’t been active in over a year
We organized the project in stages, each focused on a specific group of accounts. We implemented two actions for each:
- A big initial deletion of accounts
- An automatic cancellation workflow to keep the system self-maintained moving forward.
For the initial cancellation of accounts, we had a thorough discussion about whether we should notify them all. We had accounts dating back to 2004, and with the number of accounts we were talking about, even a small percentage of replies would represent a significant extra workload for our support team. Also we worried about former customers thinking we were spamming them. How could we do the right thing, in a manageable way? We decided on some thresholds to try and find the right balance. For example, we decided to cancel without notifying accounts that had been inaccessible for not paying for three years or more.
Then a customer wrote in about his old account (from 2004!). He had stopped paying in 2015 and hadn’t accessed their account since then. And now, almost 5 years later, they wanted to reopen it. When they wrote us, they were beyond the 30-days limit we wait between cancellation and actual data incineration, so despite trying hard, we couldn’t recover their data. They were gracious and understanding, but it was heartbreaking. We decided to change course: we would notify everyone instead. We talked about this in detail in this episode of Rework.
Sending millions of emails made us work hard on making them as self-serving as possible, for our customers, and for our support team. We refined, measured, and refined again in a process that saw us deliver 200 emails per day in December to 28,000 per day when we finished in April. For example, these are the initial and final versions we used for notifying free inactive accounts.
This is the chart for the backlog of free inactive accounts (the glitch in the middle was due to a bug that meant a bunch of emails weren’t sent, so we had to resend):
This project involved many people including Jane Yang leading it, Justin White taking care of the first half of the project and me completing it. We had to review our apps to measure account activity, implement a cancellation workflow that adapted to each product, and prepare our data-deletion queues to work with these kinds of numbers. Our support team handled over 2000 tickets related to this. As a new-hire, the amount of effort Basecamp was willing to put into doing the right thing was impressive. After all, this was not a new feature or product, but the kind of work that often goes unnoticed.
This was an example of the many things we are doing to raise the bar on data privacy. We will share more. Stay tuned!