Two deletions, two consequences.

When accounts ship, account deletion will remove your profile, your authentication records, and your operational logs. AION keeps a minimal tombstone (account identifier plus deletion timestamp) and the billing, tax, and audit metadata it is legally required to retain for the periods named in the Privacy Notice. It never held your Vault plaintext or keys, so there is nothing of that kind to delete or retain. Account deletion does not automatically destroy your sealed vaults; the encrypted ciphertext continues to exist in its sovereign holdings and remains openable by anyone with the threshold of shards and the convergence requirements.

This separation is intentional. A user may want to leave the AION service while still leaving their vault available for heirs. A user may also want to destroy a vault while keeping an account active. The two intents are honored independently.

You can request that AION destroy the ciphertext storage record for a specific vault. AION cannot decrypt the vault — it never held the keys — so destruction is not “deletion of the plaintext.” It is cryptographic destruction: the encrypted blob and its routing to the sovereign holdings are removed, and any ciphertext that lingers in a backup is mathematical noise without the keys. After destruction, the vault cannot be opened by anyone, including heirs. This is permanent.

Vault destruction is presented as a deliberate, plain-language confirmation flow with at least one cooling-off step and an explicit acknowledgement that heirs will lose access. The cooling-off period is 24 hours; you can cancel during that window from any session you control.

• The exact data that will be deleted, named in plain language.
• The exact data that AION will retain, with the legal reason — tax records under applicable law, audit records under the financial-record statute, tombstone identifiers for compliance with deletion requests themselves.
• The permanent-deletion date. Until that date, you will be able to cancel from in-app settings or by replying to the daily reminder email.
• The session-revocation note: when you confirm deletion, all your sessions and tokens will be revoked immediately, even before the grace period elapses.

When accounts ship, AION will operate rolling backups of operational metadata for resilience. After deletion, your data will be removed from the primary database immediately, then expired from caches, then removed from backups within the next backup retention window. If a backup must be restored to recover from an incident during that window, the restoration is followed by re-applying pending deletions; the audit log records the sequence so it cannot quietly fail.

From the application. When accounts ship, the Settings panel will include a deletion flow that meets the requirements above.

By correspondence. Write to mail@sealedaion.com. AION will confirm the request before processing, to protect you from a stranger requesting deletion in your name. Today AION holds no user accounts and processes no personal data, so account deletion requests are not yet reachable.

Through a sovereign holder (planned). The seven-sovereign holder network is not operational yet — no shard-custody agreement has been signed. When it ships, each holder will store only an encrypted shard, never plaintext or keys, so a holder cannot read or erase your secrets — only discard the ciphertext fragment it holds. Destroying a shard below the recovery threshold is itself cryptographic destruction of the vault.

A heir cannot delete the vault of an owner still living. When the inheritance protocols ship in Phase 3 — dead-man-switch attestation and trustee quorum — a designated heir will be able to request vault destruction in lieu of inheritance after the owner’s death is attested. That request will be recorded so it is not invisible to other designated heirs, who may object during a co-heir cooling-off period. None of this is live today.