Two deletions, two consequences.

Account deletion permanently removes your profile, your authentication records, your operational logs, and your audit trail of administrative actions. It does not automatically destroy your sealed vaults; the encrypted ciphertext continues to exist in its sovereign holdings and remains openable by anyone with the threshold of shards and the convergence requirements.

This separation is intentional. A user may want to leave the AION service while still leaving their vault available for heirs. A user may also want to destroy a vault while keeping an account active. The two intents are honored independently.

You can request that AION destroy the ciphertext storage record for a specific vault. AION cannot decrypt the vault before destruction, so destruction is not “deletion of the plaintext” — it is the removal of the encrypted blob and its routing to the sovereign holdings. After destruction, the vault cannot be opened by anyone, including heirs. This is permanent.

Vault destruction is presented as a deliberate, plain-language confirmation flow with at least one cooling-off step and an explicit acknowledgement that heirs will lose access. The cooling-off period is seven days; you can cancel during that window from any session you control.

• The exact data that will be deleted, named in plain language.
• The exact data that AION will retain, with the legal reason — tax records under applicable law, audit records under the financial-record statute, tombstone identifiers for compliance with deletion requests themselves.
• The permanent-deletion date. Until that date, you can cancel from in-app settings or by replying to the daily reminder email.
• The session-revocation note: when you confirm deletion, all your sessions and tokens are revoked immediately, even before the grace period elapses.

AION operates rolling backups of operational metadata for resilience. After deletion, your data is removed from the primary database immediately, then expired from caches, then removed from backups within the next backup retention window. If a backup must be restored to recover from an incident during that window, the restoration is followed by re-applying pending deletions; the audit log records the sequence so it cannot quietly fail.

From the application. When accounts ship, the Settings panel will include a deletion flow that meets the requirements above.

By correspondence. Write to privacy@sealedaion.com. Email forwarding may still propagate after MX setup; AION will confirm the request via a signed link before processing, to protect you from a stranger requesting deletion in your name. Today AION holds no user accounts and processes no personal data, so deletion requests are not yet reachable.

Through your sovereign holding. Each of the seven sovereign holders honors deletion requests under their local privacy law (GDPR, PIPEDA, the Singapore PDPA, the New Zealand Privacy Act, and analogous regimes). A request to one holder is honored by that holder for their shard; AION coordinates the others through the standard flow.

A heir cannot delete the vault of a holder still living. After a holder’s death is attested under the dead-man-switch and the trustee-quorum protocols, a designated heir may request vault destruction in lieu of inheritance. This is recorded in the audit chain so the request is not invisible to other designated heirs, who may object during a co-heir cooling-off period.