What does Google Play require for account deletion?

If your app allows users to create an account from within it, you must let them request account deletion both inside the app and through a web link, and deleting the account must also delete the associated user data. You declare these deletion paths in the account deletion section of your Data safety form. Google verifies the paths, and apps that do not provide them are subject to enforcement, including removal from Google Play.

Why does Google Play require a web deletion link?

So users can delete their account without having the app installed. A user who has uninstalled the app, or who never wants to reopen it, can still delete their account and data from a web page, which an in-app-only path would not allow. Both routes are required: in-app deletion for users in the app, and the web link for the common case of someone who has already removed the app but wants their account and data gone.

Is this the same as Apple's account deletion rule?

No, it is a separate Google Play policy, though similar in spirit. Apple requires in-app account deletion for App Store apps that support account creation, while Google Play requires both in-app and web-link deletion and ties it to the Data safety form. If you publish on both stores, you need to satisfy each platform's version, which in practice means offering in-app deletion, a web deletion link, and actually deleting the associated data.

How does account deletion relate to app security?

Account deletion is a feature and policy requirement about user data rights, so it is something you build and declare, not something a binary scan evaluates. The related security concern, how you store and actually delete user data, is separate: a pre-submission scan such as PTKD.com reads your app against OWASP MASVS for the security side, like insecure storage. You implement the deletion flows and declare them in Play Console, and confirm the data handling around them is secure.

Google Play's account and data deletion requirement

If your Android app lets users create an account, Google Play requires you to let them delete it, and not just from inside the app. Google's account deletion policy asks for two paths: one within the app and one on the web, so a user can request deletion even without the app installed. Deleting the account also has to delete the associated data, with narrow exceptions you must disclose. This is separate from Apple's account-deletion rule, and non-compliant apps face enforcement. Here is exactly what Google Play requires and how to meet it.

Short answer

If your app allows users to create an account, Google Play's User Data policy requires you to provide a way for users to delete their account both inside the app and through a web link, so a user can request deletion even without the app. Per Google's account deletion requirements, deleting the account must also delete the associated user data, though you may retain specific data for legitimate reasons like security, fraud prevention, or legal compliance, which you must disclose in your data retention policy. You declare the deletion paths in your Data safety form, and non-compliant apps can face enforcement, including removal. This is distinct from Apple's account-deletion requirement on the App Store.

What you should know

It applies to account-creating apps: if users can make an account, they must be able to delete it.
Two paths are required: in-app deletion and a web link.
Data must be deleted too: not just the account record.
Disclosed retention is allowed: for security, fraud, or legal reasons.
It is declared in Data safety: and enforced, with removal for non-compliance.

What does Google Play require?

That apps allowing in-app account creation also allow account deletion, through two routes. Google Play's User Data policy states that if your app lets users create an account from within it, you must let them request that the account be deleted, and you must offer that both inside the app and via a web link where users can delete their account or request deletion. The web link matters because it lets someone delete their account without having the app installed, which is the point users often hit after they have already removed the app. You declare these deletion paths in the account deletion section of your Data safety form. So the requirement is not just a buried setting; it is a documented, two-path capability that Google checks, and apps that do not provide it are subject to enforcement.

Why both in-app and a web link?

So users can delete their account regardless of whether the app is installed. The table contrasts the paths.

Path	Why it is required
In-app deletion	Lets users delete from within the app they are using
Web link deletion	Lets users delete without installing or reinstalling the app
Declared in Data safety	Google verifies the paths are provided

The two paths cover the realistic situations: a user inside the app can delete there, and a user who has uninstalled, or never wants to reopen the app, can still delete their account from a web page. Providing only the in-app path leaves out the common case of someone who has already removed the app but wants their account and data gone, which is exactly why Google requires the web route as well.

What about the data, and what exceptions exist?

Deletion must remove the associated user data, with disclosed exceptions. When a user deletes their account, you are required to delete the user data associated with it, not merely deactivate the account, since the point is removing the user's data, not just their login. Google does allow retaining certain data for legitimate reasons, security, fraud prevention, or regulatory and legal compliance, and apps in highly regulated industries may need additional retention periods, but you must clearly inform users of this in your data retention policy. So the default is full deletion of the account and its data, and any retention has to be both legitimate and disclosed, rather than a quiet default to keep everything. Treat deletion as actually erasing the user's data, with documented, narrow carve-outs where the law or security genuinely requires holding some of it.

What to watch out for

The first trap is providing only in-app deletion and missing the required web link, which leaves out users who have uninstalled the app. The second is deleting the account record but retaining the user's data without a disclosed, legitimate reason, when deletion is meant to remove the data. The third is not declaring the deletion paths in your Data safety form, which is where Google checks. Account deletion is a feature and policy matter rather than a binary-security one, so it sits apart from a pre-submission scan such as PTKD.com (https://ptkd.com), which reads your app against OWASP MASVS for the security side; you build the deletion flows and declare them in Play Console.

What to take away

If your app allows account creation, Google Play requires account deletion both in-app and via a web link, so users can delete without the app installed.
Deleting the account must also delete the associated user data, with retention allowed only for disclosed, legitimate reasons like security or legal compliance.
Declare the deletion paths in your Data safety form, since Google verifies them and non-compliant apps face enforcement, including removal.
This is distinct from Apple's account-deletion requirement, and the security of how you store and delete data is checked separately by a pre-submission scan such as PTKD.com.