Implement account deletion system

2025-12-20 06:11:11 -05:00 · 2025-10-12 14:17:54 +00:00
parent 21ba87a664
commit 3a38b47108
10 changed files with 1429 additions and 50 deletions
--- a/src/components/settings/AccountDeletionDialog.tsx
+++ b/src/components/settings/AccountDeletionDialog.tsx
@@ -0,0 +1,282 @@
+import { useState } from 'react';
+import { AlertDialog, AlertDialogContent, AlertDialogHeader, AlertDialogTitle, AlertDialogDescription, AlertDialogFooter } from '@/components/ui/alert-dialog';
+import { Button } from '@/components/ui/button';
+import { Input } from '@/components/ui/input';
+import { Label } from '@/components/ui/label';
+import { Checkbox } from '@/components/ui/checkbox';
+import { Alert, AlertDescription } from '@/components/ui/alert';
+import { supabase } from '@/integrations/supabase/client';
+import { useToast } from '@/hooks/use-toast';
+import { Loader2, AlertTriangle, Info } from 'lucide-react';
+
+interface AccountDeletionDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  userEmail: string;
+  onDeletionRequested: () => void;
+}
+
+export function AccountDeletionDialog({ open, onOpenChange, userEmail, onDeletionRequested }: AccountDeletionDialogProps) {
+  const [step, setStep] = useState<'warning' | 'confirm' | 'code'>('warning');
+  const [loading, setLoading] = useState(false);
+  const [confirmationCode, setConfirmationCode] = useState('');
+  const [codeReceived, setCodeReceived] = useState(false);
+  const [scheduledDate, setScheduledDate] = useState<string>('');
+  const { toast } = useToast();
+
+  const handleRequestDeletion = async () => {
+    setLoading(true);
+    try {
+      const { data, error } = await supabase.functions.invoke('request-account-deletion', {
+        body: {},
+      });
+
+      if (error) throw error;
+
+      setScheduledDate(data.scheduled_deletion_at);
+      setStep('code');
+      onDeletionRequested();
+      
+      toast({
+        title: 'Deletion Requested',
+        description: 'Check your email for the confirmation code.',
+      });
+    } catch (error: any) {
+      toast({
+        variant: 'destructive',
+        title: 'Error',
+        description: error.message || 'Failed to request account deletion',
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleConfirmDeletion = async () => {
+    if (!confirmationCode || confirmationCode.length !== 6) {
+      toast({
+        variant: 'destructive',
+        title: 'Invalid Code',
+        description: 'Please enter a 6-digit confirmation code',
+      });
+      return;
+    }
+
+    setLoading(true);
+    try {
+      const { error } = await supabase.functions.invoke('confirm-account-deletion', {
+        body: { confirmation_code: confirmationCode },
+      });
+
+      if (error) throw error;
+
+      toast({
+        title: 'Account Deleted',
+        description: 'Your account has been permanently deleted.',
+      });
+
+      // Sign out and redirect
+      await supabase.auth.signOut();
+      window.location.href = '/';
+    } catch (error: any) {
+      toast({
+        variant: 'destructive',
+        title: 'Error',
+        description: error.message || 'Failed to confirm deletion',
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleResendCode = async () => {
+    setLoading(true);
+    try {
+      const { error } = await supabase.functions.invoke('resend-deletion-code', {
+        body: {},
+      });
+
+      if (error) throw error;
+
+      toast({
+        title: 'Code Resent',
+        description: 'A new confirmation code has been sent to your email.',
+      });
+    } catch (error: any) {
+      toast({
+        variant: 'destructive',
+        title: 'Error',
+        description: error.message || 'Failed to resend code',
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleClose = () => {
+    setStep('warning');
+    setConfirmationCode('');
+    setCodeReceived(false);
+    onOpenChange(false);
+  };
+
+  return (
+    <AlertDialog open={open} onOpenChange={handleClose}>
+      <AlertDialogContent className="max-w-2xl">
+        <AlertDialogHeader>
+          <AlertDialogTitle className="flex items-center gap-2 text-destructive">
+            <AlertTriangle className="w-5 h-5" />
+            Delete Account
+          </AlertDialogTitle>
+          <AlertDialogDescription className="text-left space-y-4">
+            {step === 'warning' && (
+              <>
+                <Alert>
+                  <Info className="w-4 h-4" />
+                  <AlertDescription>
+                    This action will permanently delete your account after a 2-week waiting period. Please read carefully.
+                  </AlertDescription>
+                </Alert>
+
+                <div className="space-y-3">
+                  <div>
+                    <h4 className="font-semibold text-foreground mb-2">What will be DELETED:</h4>
+                    <ul className="space-y-1 text-sm">
+                      <li>✗ Your profile information (username, bio, avatar, etc.)</li>
+                      <li>✗ Your reviews and ratings</li>
+                      <li>✗ Your personal preferences and settings</li>
+                    </ul>
+                  </div>
+
+                  <div>
+                    <h4 className="font-semibold text-foreground mb-2">What will be PRESERVED:</h4>
+                    <ul className="space-y-1 text-sm">
+                      <li>✓ Your database submissions (park creations, ride additions, edits)</li>
+                      <li>✓ Photos you've uploaded (shown as "Submitted by [deleted user]")</li>
+                      <li>✓ Edit history and contributions</li>
+                    </ul>
+                  </div>
+
+                  <Alert variant="destructive">
+                    <AlertDescription>
+                      <strong>2-Week Waiting Period:</strong> Your account will be deactivated immediately, but you'll have 14 days to cancel before permanent deletion. You'll receive a confirmation code via email.
+                    </AlertDescription>
+                  </Alert>
+                </div>
+              </>
+            )}
+
+            {step === 'confirm' && (
+              <Alert variant="destructive">
+                <AlertDescription>
+                  Are you absolutely sure? This will deactivate your account immediately and schedule it for permanent deletion in 2 weeks.
+                </AlertDescription>
+              </Alert>
+            )}
+
+            {step === 'code' && (
+              <div className="space-y-4">
+                <Alert>
+                  <Info className="w-4 h-4" />
+                  <AlertDescription>
+                    Your account has been deactivated and will be deleted on{' '}
+                    <strong>{scheduledDate ? new Date(scheduledDate).toLocaleDateString() : '14 days from now'}</strong>.
+                  </AlertDescription>
+                </Alert>
+
+                <p className="text-sm">
+                  A 6-digit confirmation code has been sent to <strong>{userEmail}</strong>.
+                </p>
+
+                <div className="space-y-4">
+                  <div className="space-y-2">
+                    <Label htmlFor="confirmationCode">Confirmation Code</Label>
+                    <Input
+                      id="confirmationCode"
+                      type="text"
+                      placeholder="000000"
+                      maxLength={6}
+                      value={confirmationCode}
+                      onChange={(e) => setConfirmationCode(e.target.value.replace(/\D/g, ''))}
+                      className="text-center text-2xl tracking-widest"
+                    />
+                  </div>
+
+                  <div className="flex items-center space-x-2">
+                    <Checkbox
+                      id="codeReceived"
+                      checked={codeReceived}
+                      onCheckedChange={(checked) => setCodeReceived(checked === true)}
+                    />
+                    <Label htmlFor="codeReceived" className="text-sm font-normal cursor-pointer">
+                      I have received the code in my email
+                    </Label>
+                  </div>
+
+                  <Button
+                    variant="outline"
+                    onClick={handleResendCode}
+                    disabled={loading}
+                    className="w-full"
+                  >
+                    {loading ? <Loader2 className="w-4 h-4 animate-spin" /> : 'Resend Code'}
+                  </Button>
+                </div>
+
+                <Alert>
+                  <AlertDescription className="text-xs">
+                    Note: You cannot confirm deletion until the 2-week period has passed. You can cancel at any time during this period.
+                  </AlertDescription>
+                </Alert>
+              </div>
+            )}
+          </AlertDialogDescription>
+        </AlertDialogHeader>
+        <AlertDialogFooter>
+          {step === 'warning' && (
+            <>
+              <Button variant="outline" onClick={handleClose}>
+                Cancel
+              </Button>
+              <Button variant="destructive" onClick={() => setStep('confirm')}>
+                Continue
+              </Button>
+            </>
+          )}
+
+          {step === 'confirm' && (
+            <>
+              <Button variant="outline" onClick={() => setStep('warning')}>
+                Go Back
+              </Button>
+              <Button
+                variant="destructive"
+                onClick={handleRequestDeletion}
+                disabled={loading}
+              >
+                {loading ? <Loader2 className="w-4 h-4 animate-spin mr-2" /> : null}
+                Request Deletion
+              </Button>
+            </>
+          )}
+
+          {step === 'code' && (
+            <>
+              <Button variant="outline" onClick={handleClose}>
+                Close
+              </Button>
+              <Button
+                variant="destructive"
+                onClick={handleConfirmDeletion}
+                disabled={loading || !codeReceived || confirmationCode.length !== 6}
+              >
+                {loading ? <Loader2 className="w-4 h-4 animate-spin mr-2" /> : null}
+                Confirm Deletion
+              </Button>
+            </>
+          )}
+        </AlertDialogFooter>
+      </AlertDialogContent>
+    </AlertDialog>
+  );
+}
--- a/src/components/settings/AccountProfileTab.tsx
+++ b/src/components/settings/AccountProfileTab.tsx
@@ -1,4 +1,4 @@
-import { useState } from 'react';
+import { useState, useEffect } from 'react';
 import { useForm } from 'react-hook-form';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { z } from 'zod';
@@ -21,6 +21,8 @@ import { EmailChangeDialog } from './EmailChangeDialog';
 import { Badge } from '@/components/ui/badge';
 import { Alert, AlertDescription, AlertTitle } from '@/components/ui/alert';
 import { toast as sonnerToast } from 'sonner';
+import { AccountDeletionDialog } from './AccountDeletionDialog';
+import { DeletionStatusBanner } from './DeletionStatusBanner';

 const profileSchema = z.object({
  username: z.string().min(3).max(30).regex(/^[a-zA-Z0-9_-]+$/),
@@ -44,6 +46,8 @@ export function AccountProfileTab() {
  const [cancellingEmail, setCancellingEmail] = useState(false);
  const [avatarUrl, setAvatarUrl] = useState<string>(profile?.avatar_url || '');
  const [avatarImageId, setAvatarImageId] = useState<string>(profile?.avatar_image_id || '');
+  const [showDeletionDialog, setShowDeletionDialog] = useState(false);
+  const [deletionRequest, setDeletionRequest] = useState<any>(null);

  const form = useForm<ProfileFormData>({
    resolver: zodResolver(profileSchema),
@@ -57,6 +61,26 @@ export function AccountProfileTab() {
    }
  });

+  // Check for existing deletion request on mount
+  useEffect(() => {
+    const checkDeletionRequest = async () => {
+      if (!user?.id) return;
+
+      const { data, error } = await supabase
+        .from('account_deletion_requests')
+        .select('*')
+        .eq('user_id', user.id)
+        .eq('status', 'pending')
+        .maybeSingle();
+
+      if (!error && data) {
+        setDeletionRequest(data);
+      }
+    };
+
+    checkDeletionRequest();
+  }, [user?.id]);
+
  const onSubmit = async (data: ProfileFormData) => {
    if (!user) return;
    
@@ -200,30 +224,36 @@ export function AccountProfileTab() {
    }
  };

-  const handleDeleteAccount = async () => {
-    if (!user) return;
+  const handleDeletionRequested = async () => {
+    // Refresh deletion request data
+    const { data, error } = await supabase
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('user_id', user!.id)
+      .eq('status', 'pending')
+      .maybeSingle();

-    try {
-      // This would typically involve multiple steps:
-      // 1. Anonymize or delete user data
-      // 2. Delete the auth user
-      // For now, we'll just show a message
-      toast({
-        title: 'Account deletion requested',
-        description: 'Please contact support to complete account deletion.',
-        variant: 'destructive'
-      });
-    } catch (error: any) {
-      toast({
-        title: 'Error',
-        description: error.message || 'Failed to delete account',
-        variant: 'destructive'
-      });
+    if (!error && data) {
+      setDeletionRequest(data);
    }
  };

+  const handleDeletionCancelled = () => {
+    setDeletionRequest(null);
+  };
+
+  const isDeactivated = (profile as any)?.deactivated || false;
+
  return (
    <div className="space-y-8">
+      {/* Deletion Status Banner */}
+      {deletionRequest && (
+        <DeletionStatusBanner
+          scheduledDate={deletionRequest.scheduled_deletion_at}
+          onCancelled={handleDeletionCancelled}
+        />
+      )}
+
      {/* Profile Picture */}
      <div className="space-y-4">
        <h3 className="text-lg font-medium">Profile Picture</h3>
@@ -257,6 +287,7 @@ export function AccountProfileTab() {
              id="username"
              {...form.register('username')}
              placeholder="Enter your username"
+              disabled={isDeactivated}
            />
            {form.formState.errors.username && (
              <p className="text-sm text-destructive">
@@ -325,9 +356,14 @@ export function AccountProfileTab() {
          </div>
        </div>

-        <Button type="submit" disabled={loading}>
+        <Button type="submit" disabled={loading || isDeactivated}>
          {loading ? 'Saving...' : 'Save Changes'}
        </Button>
+        {isDeactivated && (
+          <p className="text-sm text-muted-foreground">
+            Your account is deactivated. Profile editing is disabled.
+          </p>
+        )}
      </form>

      <Separator />
@@ -440,39 +476,36 @@ export function AccountProfileTab() {
        <CardHeader>
          <CardTitle className="text-destructive">Danger Zone</CardTitle>
          <CardDescription>
-            These actions cannot be undone. Please be careful.
+            Permanently delete your account with a 2-week waiting period
          </CardDescription>
        </CardHeader>
-        <CardContent>
-          <AlertDialog open={showDeleteDialog} onOpenChange={setShowDeleteDialog}>
-            <AlertDialogTrigger asChild>
-              <Button variant="destructive" className="w-fit">
-                <Trash2 className="w-4 h-4 mr-2" />
-                Delete Account
-              </Button>
-            </AlertDialogTrigger>
-            <AlertDialogContent>
-              <AlertDialogHeader>
-                <AlertDialogTitle>Are you absolutely sure?</AlertDialogTitle>
-                <AlertDialogDescription>
-                  This action cannot be undone. This will permanently delete your account
-                  and remove all your data from our servers, including your reviews,
-                  ride credits, and profile information.
-                </AlertDialogDescription>
-              </AlertDialogHeader>
-              <AlertDialogFooter>
-                <AlertDialogCancel>Cancel</AlertDialogCancel>
-                <AlertDialogAction
-                  onClick={handleDeleteAccount}
-                  className="bg-destructive text-destructive-foreground hover:bg-destructive/90"
-                >
-                  Yes, delete my account
-                </AlertDialogAction>
-              </AlertDialogFooter>
-            </AlertDialogContent>
-          </AlertDialog>
+        <CardContent className="space-y-4">
+          <div className="flex items-center justify-between">
+            <div className="space-y-1">
+              <p className="text-sm font-medium">Delete Account</p>
+              <p className="text-sm text-muted-foreground">
+                Your profile and reviews will be deleted, but your contributions (submissions, photos) will be preserved
+              </p>
+            </div>
+            <Button
+              variant="destructive"
+              onClick={() => setShowDeletionDialog(true)}
+              disabled={!!deletionRequest}
+            >
+              <Trash2 className="w-4 h-4 mr-2" />
+              {deletionRequest ? 'Deletion Pending' : 'Delete Account'}
+            </Button>
+          </div>
        </CardContent>
      </Card>
+
+      {/* Account Deletion Dialog */}
+      <AccountDeletionDialog
+        open={showDeletionDialog}
+        onOpenChange={setShowDeletionDialog}
+        userEmail={user?.email || ''}
+        onDeletionRequested={handleDeletionRequested}
+      />
    </div>
  );
 }
--- a/src/components/settings/DeletionStatusBanner.tsx
+++ b/src/components/settings/DeletionStatusBanner.tsx
@@ -0,0 +1,90 @@
+import { Alert, AlertDescription, AlertTitle } from '@/components/ui/alert';
+import { Button } from '@/components/ui/button';
+import { supabase } from '@/integrations/supabase/client';
+import { useToast } from '@/hooks/use-toast';
+import { AlertTriangle, Loader2 } from 'lucide-react';
+import { useState } from 'react';
+
+interface DeletionStatusBannerProps {
+  scheduledDate: string;
+  onCancelled: () => void;
+}
+
+export function DeletionStatusBanner({ scheduledDate, onCancelled }: DeletionStatusBannerProps) {
+  const [loading, setLoading] = useState(false);
+  const { toast } = useToast();
+
+  const calculateDaysRemaining = () => {
+    const scheduled = new Date(scheduledDate);
+    const now = new Date();
+    const diffTime = scheduled.getTime() - now.getTime();
+    const diffDays = Math.ceil(diffTime / (1000 * 60 * 60 * 24));
+    return Math.max(0, diffDays);
+  };
+
+  const handleCancelDeletion = async () => {
+    setLoading(true);
+    try {
+      const { error } = await supabase.functions.invoke('cancel-account-deletion', {
+        body: { cancellation_reason: 'User cancelled from settings' },
+      });
+
+      if (error) throw error;
+
+      toast({
+        title: 'Deletion Cancelled',
+        description: 'Your account has been reactivated.',
+      });
+
+      onCancelled();
+    } catch (error: any) {
+      toast({
+        variant: 'destructive',
+        title: 'Error',
+        description: error.message || 'Failed to cancel deletion',
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const daysRemaining = calculateDaysRemaining();
+  const formattedDate = new Date(scheduledDate).toLocaleDateString('en-US', {
+    weekday: 'long',
+    year: 'numeric',
+    month: 'long',
+    day: 'numeric',
+  });
+
+  return (
+    <Alert variant="destructive" className="mb-6">
+      <AlertTriangle className="w-4 h-4" />
+      <AlertTitle>Account Deletion Scheduled</AlertTitle>
+      <AlertDescription className="space-y-2">
+        <p>
+          Your account is scheduled for permanent deletion on <strong>{formattedDate}</strong>.
+        </p>
+        <p className="text-sm">
+          {daysRemaining > 0 ? (
+            <>
+              <strong>{daysRemaining}</strong> day{daysRemaining !== 1 ? 's' : ''} remaining to cancel.
+            </>
+          ) : (
+            'You can now confirm deletion with your confirmation code.'
+          )}
+        </p>
+        <div className="flex gap-2 mt-3">
+          <Button
+            variant="outline"
+            size="sm"
+            onClick={handleCancelDeletion}
+            disabled={loading}
+          >
+            {loading ? <Loader2 className="w-4 h-4 animate-spin mr-2" /> : null}
+            Cancel Deletion
+          </Button>
+        </div>
+      </AlertDescription>
+    </Alert>
+  );
+}
--- a/src/integrations/supabase/types.ts
+++ b/src/integrations/supabase/types.ts
@@ -14,6 +14,51 @@ export type Database = {
  }
  public: {
    Tables: {
+      account_deletion_requests: {
+        Row: {
+          cancellation_reason: string | null
+          cancelled_at: string | null
+          completed_at: string | null
+          confirmation_code: string
+          confirmation_code_sent_at: string | null
+          created_at: string
+          id: string
+          requested_at: string
+          scheduled_deletion_at: string
+          status: Database["public"]["Enums"]["account_deletion_status"]
+          updated_at: string
+          user_id: string
+        }
+        Insert: {
+          cancellation_reason?: string | null
+          cancelled_at?: string | null
+          completed_at?: string | null
+          confirmation_code: string
+          confirmation_code_sent_at?: string | null
+          created_at?: string
+          id?: string
+          requested_at?: string
+          scheduled_deletion_at: string
+          status?: Database["public"]["Enums"]["account_deletion_status"]
+          updated_at?: string
+          user_id: string
+        }
+        Update: {
+          cancellation_reason?: string | null
+          cancelled_at?: string | null
+          completed_at?: string | null
+          confirmation_code?: string
+          confirmation_code_sent_at?: string | null
+          created_at?: string
+          id?: string
+          requested_at?: string
+          scheduled_deletion_at?: string
+          status?: Database["public"]["Enums"]["account_deletion_status"]
+          updated_at?: string
+          user_id?: string
+        }
+        Relationships: []
+      }
      admin_audit_log: {
        Row: {
          action: string
@@ -1348,6 +1393,9 @@ export type Database = {
          coaster_count: number | null
          created_at: string
          date_of_birth: string | null
+          deactivated: boolean
+          deactivated_at: string | null
+          deactivation_reason: string | null
          display_name: string | null
          home_park_id: string | null
          id: string
@@ -1376,6 +1424,9 @@ export type Database = {
          coaster_count?: number | null
          created_at?: string
          date_of_birth?: string | null
+          deactivated?: boolean
+          deactivated_at?: string | null
+          deactivation_reason?: string | null
          display_name?: string | null
          home_park_id?: string | null
          id?: string
@@ -1404,6 +1455,9 @@ export type Database = {
          coaster_count?: number | null
          created_at?: string
          date_of_birth?: string | null
+          deactivated?: boolean
+          deactivated_at?: string | null
+          deactivation_reason?: string | null
          display_name?: string | null
          home_park_id?: string | null
          id?: string
@@ -2855,6 +2909,10 @@ export type Database = {
      }
    }
    Functions: {
+      anonymize_user_submissions: {
+        Args: { target_user_id: string }
+        Returns: undefined
+      }
      can_approve_submission_item: {
        Args: { item_id: string }
        Returns: boolean
@@ -2931,6 +2989,10 @@ export type Database = {
        Args: { url: string }
        Returns: string
      }
+      generate_deletion_confirmation_code: {
+        Args: Record<PropertyKey, never>
+        Returns: string
+      }
      get_filtered_profile: {
        Args: { _profile_user_id: string; _viewer_id?: string }
        Returns: Json
@@ -3039,6 +3101,11 @@ export type Database = {
      }
    }
    Enums: {
+      account_deletion_status:
+        | "pending"
+        | "confirmed"
+        | "cancelled"
+        | "completed"
      app_role: "admin" | "moderator" | "user" | "superuser"
      version_change_type:
        | "created"
@@ -3173,6 +3240,12 @@ export type CompositeTypes<
 export const Constants = {
  public: {
    Enums: {
+      account_deletion_status: [
+        "pending",
+        "confirmed",
+        "cancelled",
+        "completed",
+      ],
      app_role: ["admin", "moderator", "user", "superuser"],
      version_change_type: [
        "created",
--- a/supabase/functions/cancel-account-deletion/index.ts
+++ b/supabase/functions/cancel-account-deletion/index.ts
@@ -0,0 +1,129 @@
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+};
+
+serve(async (req) => {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    const { cancellation_reason } = await req.json();
+
+    const supabaseClient = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+      {
+        global: {
+          headers: { Authorization: req.headers.get('Authorization')! },
+        },
+      }
+    );
+
+    // Get authenticated user
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseClient.auth.getUser();
+
+    if (userError || !user) {
+      throw new Error('Unauthorized');
+    }
+
+    console.log(`Cancelling deletion request for user: ${user.id}`);
+
+    // Find pending deletion request
+    const { data: deletionRequest, error: requestError } = await supabaseClient
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('user_id', user.id)
+      .eq('status', 'pending')
+      .maybeSingle();
+
+    if (requestError || !deletionRequest) {
+      throw new Error('No pending deletion request found');
+    }
+
+    // Cancel deletion request
+    const { error: updateError } = await supabaseClient
+      .from('account_deletion_requests')
+      .update({
+        status: 'cancelled',
+        cancelled_at: new Date().toISOString(),
+        cancellation_reason: cancellation_reason || 'User cancelled',
+      })
+      .eq('id', deletionRequest.id);
+
+    if (updateError) {
+      throw updateError;
+    }
+
+    // Reactivate profile
+    const { error: profileError } = await supabaseClient
+      .from('profiles')
+      .update({
+        deactivated: false,
+        deactivated_at: null,
+        deactivation_reason: null,
+      })
+      .eq('user_id', user.id);
+
+    if (profileError) {
+      throw profileError;
+    }
+
+    // Send cancellation email
+    const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
+    const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
+
+    if (forwardEmailKey) {
+      try {
+        await fetch('https://api.forwardemail.net/v1/emails', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Basic ${btoa(forwardEmailKey + ':')}`,
+          },
+          body: JSON.stringify({
+            from: fromEmail,
+            to: user.email,
+            subject: 'Account Deletion Cancelled',
+            html: `
+              <h2>Account Deletion Cancelled</h2>
+              <p>Your account deletion request has been cancelled on ${new Date().toLocaleDateString()}.</p>
+              <p>Your account has been reactivated and you can continue using all features.</p>
+              <p>Welcome back!</p>
+            `,
+          }),
+        });
+        console.log('Cancellation confirmation email sent');
+      } catch (emailError) {
+        console.error('Failed to send email:', emailError);
+      }
+    }
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: 'Account deletion cancelled successfully',
+      }),
+      {
+        status: 200,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('Error cancelling deletion:', error);
+    return new Response(
+      JSON.stringify({ error: error.message }),
+      {
+        status: 400,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  }
+});
--- a/supabase/functions/confirm-account-deletion/index.ts
+++ b/supabase/functions/confirm-account-deletion/index.ts
@@ -0,0 +1,189 @@
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+};
+
+serve(async (req) => {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    const { confirmation_code } = await req.json();
+
+    if (!confirmation_code) {
+      throw new Error('Confirmation code is required');
+    }
+
+    const supabaseClient = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+      {
+        global: {
+          headers: { Authorization: req.headers.get('Authorization')! },
+        },
+      }
+    );
+
+    // Get authenticated user
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseClient.auth.getUser();
+
+    if (userError || !user) {
+      throw new Error('Unauthorized');
+    }
+
+    console.log(`Confirming deletion for user: ${user.id}`);
+
+    // Find deletion request
+    const { data: deletionRequest, error: requestError } = await supabaseClient
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('user_id', user.id)
+      .eq('status', 'pending')
+      .maybeSingle();
+
+    if (requestError || !deletionRequest) {
+      throw new Error('No pending deletion request found');
+    }
+
+    // Verify confirmation code
+    if (deletionRequest.confirmation_code !== confirmation_code) {
+      throw new Error('Invalid confirmation code');
+    }
+
+    // Check if 14 days have passed
+    const scheduledDate = new Date(deletionRequest.scheduled_deletion_at);
+    const now = new Date();
+
+    if (now < scheduledDate) {
+      const daysRemaining = Math.ceil((scheduledDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+      throw new Error(`You must wait ${daysRemaining} more day(s) before confirming deletion`);
+    }
+
+    // Use service role client for admin operations
+    const supabaseAdmin = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? ''
+    );
+
+    console.log('Starting deletion process...');
+
+    // Delete reviews (CASCADE will handle review_photos)
+    const { error: reviewsError } = await supabaseAdmin
+      .from('reviews')
+      .delete()
+      .eq('user_id', user.id);
+
+    if (reviewsError) {
+      console.error('Error deleting reviews:', reviewsError);
+    }
+
+    // Anonymize submissions and photos
+    const { error: anonymizeError } = await supabaseAdmin
+      .rpc('anonymize_user_submissions', { target_user_id: user.id });
+
+    if (anonymizeError) {
+      console.error('Error anonymizing submissions:', anonymizeError);
+    }
+
+    // Delete user roles
+    const { error: rolesError } = await supabaseAdmin
+      .from('user_roles')
+      .delete()
+      .eq('user_id', user.id);
+
+    if (rolesError) {
+      console.error('Error deleting user roles:', rolesError);
+    }
+
+    // Delete profile
+    const { error: profileError } = await supabaseAdmin
+      .from('profiles')
+      .delete()
+      .eq('user_id', user.id);
+
+    if (profileError) {
+      console.error('Error deleting profile:', profileError);
+      throw profileError;
+    }
+
+    // Update deletion request status
+    const { error: updateError } = await supabaseAdmin
+      .from('account_deletion_requests')
+      .update({
+        status: 'completed',
+        completed_at: new Date().toISOString(),
+      })
+      .eq('id', deletionRequest.id);
+
+    if (updateError) {
+      console.error('Error updating deletion request:', updateError);
+    }
+
+    // Delete auth user (this should cascade delete the deletion request)
+    const { error: authError } = await supabaseAdmin.auth.admin.deleteUser(user.id);
+
+    if (authError) {
+      console.error('Error deleting auth user:', authError);
+      throw authError;
+    }
+
+    // Send confirmation email
+    const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
+    const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
+
+    if (forwardEmailKey) {
+      try {
+        await fetch('https://api.forwardemail.net/v1/emails', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Basic ${btoa(forwardEmailKey + ':')}`,
+          },
+          body: JSON.stringify({
+            from: fromEmail,
+            to: user.email,
+            subject: 'Account Deletion Confirmed',
+            html: `
+              <h2>Account Deletion Confirmed</h2>
+              <p>Your account has been permanently deleted on ${new Date().toLocaleDateString()}.</p>
+              <p>Your profile and reviews have been removed, but your contributions to the database remain preserved.</p>
+              <p>Thank you for being part of our community.</p>
+            `,
+          }),
+        });
+        console.log('Deletion confirmation email sent');
+      } catch (emailError) {
+        console.error('Failed to send email:', emailError);
+      }
+    }
+
+    console.log('Account deletion completed successfully');
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: 'Account deleted successfully',
+      }),
+      {
+        status: 200,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('Error confirming deletion:', error);
+    return new Response(
+      JSON.stringify({ error: error.message }),
+      {
+        status: 400,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  }
+});
--- a/supabase/functions/process-scheduled-deletions/index.ts
+++ b/supabase/functions/process-scheduled-deletions/index.ts
@@ -0,0 +1,159 @@
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+};
+
+serve(async (req) => {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    // Use service role for admin operations
+    const supabaseAdmin = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? ''
+    );
+
+    console.log('Processing scheduled account deletions...');
+
+    // Find pending deletion requests that are past their scheduled date
+    const { data: pendingDeletions, error: fetchError } = await supabaseAdmin
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('status', 'pending')
+      .lt('scheduled_deletion_at', new Date().toISOString());
+
+    if (fetchError) {
+      throw fetchError;
+    }
+
+    if (!pendingDeletions || pendingDeletions.length === 0) {
+      console.log('No deletions to process');
+      return new Response(
+        JSON.stringify({
+          success: true,
+          message: 'No deletions to process',
+          processed: 0,
+        }),
+        {
+          status: 200,
+          headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+        }
+      );
+    }
+
+    console.log(`Found ${pendingDeletions.length} deletion(s) to process`);
+
+    let successCount = 0;
+    let errorCount = 0;
+
+    for (const deletion of pendingDeletions) {
+      try {
+        console.log(`Processing deletion for user: ${deletion.user_id}`);
+
+        // Get user email for confirmation email
+        const { data: userData } = await supabaseAdmin.auth.admin.getUserById(deletion.user_id);
+        const userEmail = userData?.user?.email;
+
+        // Delete reviews (CASCADE will handle review_photos)
+        await supabaseAdmin
+          .from('reviews')
+          .delete()
+          .eq('user_id', deletion.user_id);
+
+        // Anonymize submissions and photos
+        await supabaseAdmin
+          .rpc('anonymize_user_submissions', { target_user_id: deletion.user_id });
+
+        // Delete user roles
+        await supabaseAdmin
+          .from('user_roles')
+          .delete()
+          .eq('user_id', deletion.user_id);
+
+        // Delete profile
+        await supabaseAdmin
+          .from('profiles')
+          .delete()
+          .eq('user_id', deletion.user_id);
+
+        // Update deletion request status
+        await supabaseAdmin
+          .from('account_deletion_requests')
+          .update({
+            status: 'completed',
+            completed_at: new Date().toISOString(),
+          })
+          .eq('id', deletion.id);
+
+        // Delete auth user
+        await supabaseAdmin.auth.admin.deleteUser(deletion.user_id);
+
+        // Send final confirmation email if we have the email
+        if (userEmail) {
+          const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
+          const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
+
+          if (forwardEmailKey) {
+            try {
+              await fetch('https://api.forwardemail.net/v1/emails', {
+                method: 'POST',
+                headers: {
+                  'Content-Type': 'application/json',
+                  'Authorization': `Basic ${btoa(forwardEmailKey + ':')}`,
+                },
+                body: JSON.stringify({
+                  from: fromEmail,
+                  to: userEmail,
+                  subject: 'Account Deletion Completed',
+                  html: `
+                    <h2>Account Deletion Completed</h2>
+                    <p>Your account has been automatically deleted as scheduled on ${new Date().toLocaleDateString()}.</p>
+                    <p>Your profile and reviews have been removed, but your contributions to the database remain preserved.</p>
+                    <p>Thank you for being part of our community.</p>
+                  `,
+                }),
+              });
+            } catch (emailError) {
+              console.error('Failed to send confirmation email:', emailError);
+            }
+          }
+        }
+
+        successCount++;
+        console.log(`Successfully deleted account for user: ${deletion.user_id}`);
+      } catch (error) {
+        errorCount++;
+        console.error(`Failed to delete account for user ${deletion.user_id}:`, error);
+      }
+    }
+
+    console.log(`Processed ${successCount} deletion(s) successfully, ${errorCount} error(s)`);
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: `Processed ${successCount} deletion(s)`,
+        processed: successCount,
+        errors: errorCount,
+      }),
+      {
+        status: 200,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('Error processing scheduled deletions:', error);
+    return new Response(
+      JSON.stringify({ error: error.message }),
+      {
+        status: 500,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  }
+});
--- a/supabase/functions/request-account-deletion/index.ts
+++ b/supabase/functions/request-account-deletion/index.ts
@@ -0,0 +1,181 @@
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+};
+
+serve(async (req) => {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    const supabaseClient = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+      {
+        global: {
+          headers: { Authorization: req.headers.get('Authorization')! },
+        },
+      }
+    );
+
+    // Get authenticated user
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseClient.auth.getUser();
+
+    if (userError || !user) {
+      throw new Error('Unauthorized');
+    }
+
+    console.log(`Processing deletion request for user: ${user.id}`);
+
+    // Check for existing pending deletion request
+    const { data: existingRequest } = await supabaseClient
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('user_id', user.id)
+      .eq('status', 'pending')
+      .maybeSingle();
+
+    if (existingRequest) {
+      return new Response(
+        JSON.stringify({
+          error: 'You already have a pending deletion request',
+          request: existingRequest,
+        }),
+        {
+          status: 400,
+          headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+        }
+      );
+    }
+
+    // Generate confirmation code
+    const { data: codeData, error: codeError } = await supabaseClient
+      .rpc('generate_deletion_confirmation_code');
+
+    if (codeError) {
+      throw codeError;
+    }
+
+    const confirmationCode = codeData as string;
+    const scheduledDeletionAt = new Date();
+    scheduledDeletionAt.setDate(scheduledDeletionAt.getDate() + 14);
+
+    // Create deletion request
+    const { data: deletionRequest, error: requestError } = await supabaseClient
+      .from('account_deletion_requests')
+      .insert({
+        user_id: user.id,
+        confirmation_code: confirmationCode,
+        confirmation_code_sent_at: new Date().toISOString(),
+        scheduled_deletion_at: scheduledDeletionAt.toISOString(),
+        status: 'pending',
+      })
+      .select()
+      .single();
+
+    if (requestError) {
+      throw requestError;
+    }
+
+    // Deactivate profile
+    const { error: profileError } = await supabaseClient
+      .from('profiles')
+      .update({
+        deactivated: true,
+        deactivated_at: new Date().toISOString(),
+        deactivation_reason: 'User requested account deletion',
+      })
+      .eq('user_id', user.id);
+
+    if (profileError) {
+      throw profileError;
+    }
+
+    // Send confirmation email
+    const emailPayload = {
+      to: user.email,
+      subject: 'Account Deletion Requested - Confirmation Code Inside',
+      html: `
+        <h2>Account Deletion Requested</h2>
+        <p>Hello,</p>
+        <p>We received a request to delete your account on ${new Date().toLocaleDateString()}.</p>
+        
+        <h3>IMPORTANT INFORMATION:</h3>
+        <p>Your account has been deactivated and will be permanently deleted on <strong>${scheduledDeletionAt.toLocaleDateString()}</strong> (14 days from now).</p>
+        
+        <h4>What will be DELETED:</h4>
+        <ul>
+          <li>✗ Your profile information (username, bio, avatar, etc.)</li>
+          <li>✗ Your reviews and ratings</li>
+          <li>✗ Your personal preferences and settings</li>
+        </ul>
+        
+        <h4>What will be PRESERVED:</h4>
+        <ul>
+          <li>✓ Your database submissions (park creations, ride additions, edits)</li>
+          <li>✓ Photos you've uploaded (will be shown as "Submitted by [deleted user]")</li>
+          <li>✓ Edit history and contributions</li>
+        </ul>
+        
+        <h3>CONFIRMATION CODE: <strong>${confirmationCode}</strong></h3>
+        <p>To confirm deletion after the 14-day period, you'll need to enter this 6-digit code.</p>
+        
+        <p><strong>Need to cancel?</strong> Log in and visit your account settings to reactivate your account at any time during the next 14 days.</p>
+      `,
+    };
+
+    // Send via ForwardEmail API
+    const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
+    const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
+
+    if (forwardEmailKey) {
+      try {
+        await fetch('https://api.forwardemail.net/v1/emails', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Basic ${btoa(forwardEmailKey + ':')}`,
+          },
+          body: JSON.stringify({
+            from: fromEmail,
+            to: emailPayload.to,
+            subject: emailPayload.subject,
+            html: emailPayload.html,
+          }),
+        });
+        console.log('Deletion confirmation email sent');
+      } catch (emailError) {
+        console.error('Failed to send email:', emailError);
+      }
+    }
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: 'Account deletion request created successfully',
+        scheduled_deletion_at: scheduledDeletionAt.toISOString(),
+        request_id: deletionRequest.id,
+      }),
+      {
+        status: 200,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('Error processing deletion request:', error);
+    return new Response(
+      JSON.stringify({ error: error.message }),
+      {
+        status: 400,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  }
+});
--- a/supabase/functions/resend-deletion-code/index.ts
+++ b/supabase/functions/resend-deletion-code/index.ts
@@ -0,0 +1,137 @@
+import { serve } from 'https://deno.land/std@0.168.0/http/server.ts';
+import { createClient } from 'https://esm.sh/@supabase/supabase-js@2';
+
+const corsHeaders = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
+};
+
+serve(async (req) => {
+  if (req.method === 'OPTIONS') {
+    return new Response(null, { headers: corsHeaders });
+  }
+
+  try {
+    const supabaseClient = createClient(
+      Deno.env.get('SUPABASE_URL') ?? '',
+      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
+      {
+        global: {
+          headers: { Authorization: req.headers.get('Authorization')! },
+        },
+      }
+    );
+
+    // Get authenticated user
+    const {
+      data: { user },
+      error: userError,
+    } = await supabaseClient.auth.getUser();
+
+    if (userError || !user) {
+      throw new Error('Unauthorized');
+    }
+
+    console.log(`Resending deletion code for user: ${user.id}`);
+
+    // Find pending deletion request
+    const { data: deletionRequest, error: requestError } = await supabaseClient
+      .from('account_deletion_requests')
+      .select('*')
+      .eq('user_id', user.id)
+      .eq('status', 'pending')
+      .maybeSingle();
+
+    if (requestError || !deletionRequest) {
+      throw new Error('No pending deletion request found');
+    }
+
+    // Check rate limiting (max 3 resends per hour)
+    const lastSent = new Date(deletionRequest.confirmation_code_sent_at);
+    const now = new Date();
+    const hoursSinceLastSend = (now.getTime() - lastSent.getTime()) / (1000 * 60 * 60);
+
+    if (hoursSinceLastSend < 0.33) { // ~20 minutes between resends
+      throw new Error('Please wait at least 20 minutes between resend requests');
+    }
+
+    // Generate new confirmation code
+    const { data: codeData, error: codeError } = await supabaseClient
+      .rpc('generate_deletion_confirmation_code');
+
+    if (codeError) {
+      throw codeError;
+    }
+
+    const confirmationCode = codeData as string;
+
+    // Update deletion request with new code
+    const { error: updateError } = await supabaseClient
+      .from('account_deletion_requests')
+      .update({
+        confirmation_code: confirmationCode,
+        confirmation_code_sent_at: now.toISOString(),
+      })
+      .eq('id', deletionRequest.id);
+
+    if (updateError) {
+      throw updateError;
+    }
+
+    const scheduledDate = new Date(deletionRequest.scheduled_deletion_at);
+
+    // Send email with new code
+    const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
+    const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
+
+    if (forwardEmailKey) {
+      try {
+        await fetch('https://api.forwardemail.net/v1/emails', {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            'Authorization': `Basic ${btoa(forwardEmailKey + ':')}`,
+          },
+          body: JSON.stringify({
+            from: fromEmail,
+            to: user.email,
+            subject: 'Account Deletion - New Confirmation Code',
+            html: `
+              <h2>New Confirmation Code</h2>
+              <p>You requested a new confirmation code for your account deletion.</p>
+              <p>Your account will be permanently deleted on <strong>${scheduledDate.toLocaleDateString()}</strong>.</p>
+              
+              <h3>CONFIRMATION CODE: <strong>${confirmationCode}</strong></h3>
+              <p>To confirm deletion after the waiting period, you'll need to enter this 6-digit code.</p>
+              
+              <p><strong>Need to cancel?</strong> Log in and visit your account settings to reactivate your account.</p>
+            `,
+          }),
+        });
+        console.log('New confirmation code email sent');
+      } catch (emailError) {
+        console.error('Failed to send email:', emailError);
+      }
+    }
+
+    return new Response(
+      JSON.stringify({
+        success: true,
+        message: 'New confirmation code sent successfully',
+      }),
+      {
+        status: 200,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  } catch (error) {
+    console.error('Error resending code:', error);
+    return new Response(
+      JSON.stringify({ error: error.message }),
+      {
+        status: 400,
+        headers: { ...corsHeaders, 'Content-Type': 'application/json' },
+      }
+    );
+  }
+});
--- a/supabase/migrations/20251012141402_a98e8fc9-ceb3-4a78-87e2-8246b4e63b17.sql
+++ b/supabase/migrations/20251012141402_a98e8fc9-ceb3-4a78-87e2-8246b4e63b17.sql
@@ -0,0 +1,106 @@
+-- Create account deletion status enum
+CREATE TYPE account_deletion_status AS ENUM ('pending', 'confirmed', 'cancelled', 'completed');
+
+-- Create account deletion requests table
+CREATE TABLE account_deletion_requests (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  requested_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+  scheduled_deletion_at TIMESTAMP WITH TIME ZONE NOT NULL,
+  confirmation_code TEXT NOT NULL,
+  confirmation_code_sent_at TIMESTAMP WITH TIME ZONE,
+  status account_deletion_status NOT NULL DEFAULT 'pending',
+  cancelled_at TIMESTAMP WITH TIME ZONE,
+  completed_at TIMESTAMP WITH TIME ZONE,
+  cancellation_reason TEXT,
+  created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
+);
+
+-- Add unique constraint for active deletions
+CREATE UNIQUE INDEX unique_active_deletion_per_user 
+ON account_deletion_requests(user_id) 
+WHERE status = 'pending';
+
+-- Add index for scheduled deletions
+CREATE INDEX idx_account_deletions_scheduled 
+ON account_deletion_requests(scheduled_deletion_at) 
+WHERE status = 'pending';
+
+-- Enable RLS
+ALTER TABLE account_deletion_requests ENABLE ROW LEVEL SECURITY;
+
+-- RLS Policies
+CREATE POLICY "Users can view their own deletion requests"
+  ON account_deletion_requests FOR SELECT
+  USING (auth.uid() = user_id);
+
+CREATE POLICY "Users can insert their own deletion requests"
+  ON account_deletion_requests FOR INSERT
+  WITH CHECK (auth.uid() = user_id);
+
+CREATE POLICY "Users can update their own deletion requests"
+  ON account_deletion_requests FOR UPDATE
+  USING (auth.uid() = user_id);
+
+CREATE POLICY "Admins can view all deletion requests"
+  ON account_deletion_requests FOR SELECT
+  USING (is_moderator(auth.uid()));
+
+-- Add deactivation columns to profiles
+ALTER TABLE profiles 
+ADD COLUMN deactivated BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN deactivated_at TIMESTAMP WITH TIME ZONE,
+ADD COLUMN deactivation_reason TEXT;
+
+-- Index for deactivated profiles
+CREATE INDEX idx_profiles_deactivated ON profiles(deactivated) WHERE deactivated = true;
+
+-- Update profile RLS to hide deactivated profiles
+CREATE POLICY "Hide deactivated profiles from public"
+  ON profiles FOR SELECT
+  USING (
+    NOT deactivated OR auth.uid() = user_id OR is_moderator(auth.uid())
+  );
+
+-- Helper function to generate confirmation code
+CREATE OR REPLACE FUNCTION generate_deletion_confirmation_code()
+RETURNS TEXT
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  code TEXT;
+BEGIN
+  code := LPAD(FLOOR(RANDOM() * 1000000)::TEXT, 6, '0');
+  RETURN code;
+END;
+$$;
+
+-- Helper function to anonymize user data
+CREATE OR REPLACE FUNCTION anonymize_user_submissions(target_user_id UUID)
+RETURNS VOID
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  -- Nullify user_id in content_submissions to preserve submissions
+  UPDATE content_submissions
+  SET user_id = NULL
+  WHERE user_id = target_user_id;
+  
+  -- Nullify submitted_by in photos to preserve photos
+  UPDATE photos
+  SET submitted_by = NULL,
+      photographer_credit = '[Deleted User]'
+  WHERE submitted_by = target_user_id;
+END;
+$$;
+
+-- Add trigger for updated_at on account_deletion_requests
+CREATE TRIGGER update_account_deletion_requests_updated_at
+  BEFORE UPDATE ON account_deletion_requests
+  FOR EACH ROW
+  EXECUTE FUNCTION update_updated_at_column();