Compliance

Google Play Account Deletion URL: How to Comply Without Building a Backend

Everything you need to know about Google Play's account deletion URL requirement — what the page must do, what it must not do, Play Console setup, and three ways to comply without writing backend code.

10 min read

Google Play Account Deletion URL: How to Comply Without Building a Backend

Your app lets users create an account. Google Play now needs a public web URL where any user — without opening your app, without signing in, without installing anything — can request that their account and data be deleted. If you do not provide that URL in the Data Safety form, you cannot submit updates. If the URL you provide is broken, a marketing page, or hidden behind a login, Google will reject it.

This guide walks through exactly what the URL has to do, what it cannot do, how to enter it in Play Console, and three ways to comply — from building your own backend endpoint to using a ready-made solution that most indie developers land on after trying the other two.

TL;DR

  • Google Play requires both an in-app account deletion option and a public web URL for deletion, for every app that lets users create an account.
  • The URL must be HTTPS, publicly reachable without login, and link directly to the deletion page — no intermediate "sign in first" step.
  • The page must clearly list what gets deleted, disclose what is retained (and why), warn about permanence, and offer a support contact.
  • Three ways to comply: build your own endpoint, use a generic form tool, or use a purpose-built solution that gives you a deletion URL out of the box.
  • You also have to actually delete the data — the URL is only the front door.

Table of Contents

What Google Actually Requires

In April 2023, the Android Developers Blog announced the policy: "For apps that enable app account creation, developers will soon need to provide an option to initiate account and data deletion from within the app and online." The policy now applies to every app on the Play Store that offers account creation.

The requirement has two parts that are easy to conflate and must both be satisfied:

  1. In-app deletion. Users must be able to initiate account deletion from inside the app itself — usually from settings or a profile screen. It must not be hidden behind "contact support." A single tap is ideal; a single tap plus a confirmation is acceptable.

  2. Web deletion URL. A publicly accessible web page where users can request deletion without installing or opening the app. This exists because a user who deleted the app can no longer use the in-app flow, and because Google wants users to be able to exercise their rights even if the app itself is broken.

When a user requests deletion — by either route — you must delete the associated user data. Google allows you to retain specific categories of data for "security, fraud prevention, or regulatory compliance," but you must clearly disclose exactly what you keep and why.

Google also allows selective data deletion — activity history, images, videos, and similar — as an option alongside full account deletion, but the full account path has to exist.

The Timeline (and Why You Have to Be Compliant Today)

  • April 2023 — Policy announced.
  • December 7, 2023 — Original compliance deadline for the Data Safety form.
  • Early 2024 — Google Play product pages started showing data deletion badges.
  • May 31, 2024 — Extension deadline for developers who requested one.

As of 2026, the extensions are long expired. Any app that enables account creation and does not have a working deletion URL entered in the Data Safety form cannot ship updates. If you are reading this because Play Console flagged you, you are already behind the deadline — the fastest fix matters more than the elegant fix.

What the Deletion Page Must Do

Google's help documentation plus practical experience from rejected-and-reapproved apps point to the same checklist. Your web deletion page must:

Be reachable without friction.

  • HTTPS only (plain HTTP is rejected).
  • Publicly accessible without a login wall.
  • Direct link — the URL you submit goes to the deletion page itself, not a homepage with a buried link.
  • Mobile-responsive (most users will tap the link from a phone).

Make the flow clear.

  • Step-by-step instructions for requesting deletion — typically: enter email, receive verification code or link, confirm.
  • Identity verification is allowed as part of the deletion flow (you do not have to delete accounts for anyone who asks without any proof). But it must be verification of the requester, not a general login to your app.

Disclose exactly what gets deleted.

  • Profile information (name, email, profile photo, bio).
  • User-generated content (posts, uploads, messages).
  • Payment methods and transaction history, where you are allowed to delete them.
  • Device and session data.
  • Any other data tied to the account.

Disclose what is retained and why.

  • Financial and tax records you are legally required to keep.
  • Fraud and abuse prevention records.
  • Data subject to a legal hold.
  • Aggregated, anonymized analytics data (if you still consider it your data).

Warn about permanence.

  • Users should know deletion is irreversible before they confirm.
  • A visible warning ("This cannot be undone") is the usual pattern.

Offer a support path.

  • An email, contact form, or help center link for users who have trouble completing the request.

Actually delete the data.

  • This is the invisible part of the requirement. Google's wording is that data must be deleted "within a reasonably quick period of time," and that local laws (GDPR's 30-day response window, CCPA timelines) may impose stricter windows. If you have third-party integrations (Firebase, Stripe, analytics providers), you are responsible for making sure user data is deleted in those systems too.

Three Ways to Comply

In practice, every team that solves this problem picks one of these three paths.

Option 1: Build Your Own Endpoint

Add a /delete-account route to your marketing site or API, build a form, hook it to your auth system, send a verification email, delete the user record, call the third-party APIs that need to delete the user from their systems, and keep a log for the required retention window.

Pros.

  • Full control over the flow, the copy, the UX, and the deletion logic.
  • Deeply integrated with your actual auth and data layer — verification can use your existing accounts.
  • No third-party dependency or ongoing subscription.
  • Easy to audit for GDPR/CCPA compliance because you own the code.

Cons.

  • Meaningful engineering work — auth verification, email delivery, form handling, a durable queue so a failed deletion retries, admin UI to review requests, localization if you ship in multiple languages.
  • Ongoing maintenance: new SDKs get added to the app, the deletion routine has to be updated each time, or the page quietly drifts out of date.
  • Most solo developers underestimate the time to build this to a standard Google will accept.

Best for. Teams with an existing web backend, an existing auth stack, and engineering cycles to spare.

Option 2: Use a Generic Form Tool

Tally, Typeform, Google Forms, or a similar hosted form collects the user's email and a deletion request, then either emails you or drops the request into a sheet. You process the requests manually.

Pros.

  • Set up in under an hour.
  • Free tier is usually enough for the low volume of real deletion requests.
  • No engineering work — the form lives entirely outside your codebase.
  • Familiar tools that your non-technical teammates can also review.

Cons.

  • You still have to do the actual deletion manually, in whatever backend systems hold user data. The URL is compliant; your process is not.
  • Most generic forms require JavaScript, which can make mobile load experience flaky.
  • Copy and disclosures have to be hand-crafted in the form description, which is usually where teams fall short of Google's content requirements.
  • No audit log beyond what the form tool provides — you will want one when a deletion request goes wrong.
  • Some subreddits and compliance reviewers have flagged Google Forms as insufficient because it requires a Google account to submit in some configurations.

Best for. Side projects with fewer than a handful of real deletion requests per month, where a manual process is survivable.

Option 3: Use a Purpose-Built Solution

A tool designed specifically for the Google Play account deletion URL requirement gives you a ready-made page, the right copy, the verification flow, and ideally a way to route requests back to your backend without writing code.

AppLander was built for exactly this problem, among others. Every app you create in AppLander gets a dedicated /delete-account page at your app's public URL — either yourapp.applander.io/delete-account or at your own custom domain. The page is mobile-responsive, multi-language, hosted on HTTPS, and includes the required disclosures out of the box. When a user submits a request, it lands in your AppLander dashboard so you can track it, mark it as completed, and keep an audit log.

AppLander does not automatically delete user data from your backend — that remains your responsibility, since only you know where the user's data actually lives. What it gives you is the compliant front door and a verifiable process, so you can focus on the backend deletion logic rather than on building a form, email verification, and hosting from scratch.

Pros.

  • A working, Google-compliant URL in minutes, not days.
  • Mobile-responsive and multi-language from the start.
  • Deletion requests land in a dashboard so you have an audit trail.
  • Same dashboard also hosts your privacy policy, terms, support page, FAQ, and landing page, so you are not stitching five tools together.
  • Purpose-built for mobile app developers, so the copy already satisfies Google's content requirements.

Cons.

  • You still need to actually delete the user's data in your backend — AppLander cannot do that for you because it does not have access to your systems.
  • If you only need the deletion URL and nothing else, it is heavier than a form tool. (If you also need a privacy policy, terms, support page, FAQ, and landing page — which most developers do — it is the lighter option.)

Best for. Mobile app developers who want a compliant URL without engineering time and who also need the other compliance assets Google and Apple require.

How to Configure the URL in Play Console

Once your deletion page exists and works, enter it in Play Console:

  1. Open Google Play Console.
  2. Select your app from the All Apps dashboard.
  3. In the left sidebar, go to Policy → App Content.
  4. Scroll to the Account Deletion section and click Manage.
  5. Under "Web URL for Account Deletion," enter your full URL — for example, https://yourapp.com/delete-account or https://yourapp.applander.io/delete-account.
  6. Click Save, then Submit.
  7. Google reviews the URL; expect a 1–3 business day turnaround before the status updates.

The URL also has to be reflected in the Data Safety form. Check the Data deletion section of the Data Safety form and confirm the same URL is listed and the answers match what the page actually does.

Common Reasons Google Rejects the URL

From rejection reports developers have shared publicly, these are the most common reasons a deletion URL is rejected:

  • The URL points to the homepage. It must link directly to the deletion page.
  • The page requires signing in to the full app before showing the deletion option. Verification of identity is allowed; requiring a full app login is not.
  • The page is behind a paywall or requires an active subscription.
  • The page is plain HTTP, not HTTPS.
  • The page is a Google Form in a configuration that requires a Google account to submit.
  • The page fails to load on mobile, or is broken in a modern browser.
  • The page does not describe what gets deleted in enough detail, or does not disclose retained data.
  • The in-app flow does not exist — Google checks both the in-app path and the web URL, and will reject if either is missing.

Before submitting, test the URL from an incognito browser on a phone, with no app installed. That is the experience Google's reviewers see.

Frequently Asked Questions

Do I need this if my app does not have accounts?

No. The requirement only applies to apps that let users create an account. If your app is purely anonymous, you can indicate that in the Data Safety form and skip the deletion URL.

Can I use the same URL for multiple apps?

Yes, if the page clearly lets users specify which app they are requesting deletion for, and if the page's disclosures accurately cover all the apps it represents. In practice, a per-app page is safer and rejects fewer review passes.

How fast do I have to delete the data after a request?

Google's own wording is "within a reasonably quick period of time." GDPR Article 17 gives you one month, extendable to three in complex cases. CCPA gives you 45 days. Pick the strictest window that applies to your users and treat that as the rule.

Can I refuse to delete an account?

Only for narrow reasons: you have a legal obligation to retain the data (tax records, AML records), you need it for fraud prevention, or the request is clearly from a third party who is not the account owner. You must disclose these exceptions on the deletion page.

What about the in-app flow? Is that covered by a deletion URL?

No. The web URL and the in-app flow are separate requirements. You must have both. An in-app "Delete account" button that links out to the web URL is not sufficient on its own — the in-app path must actually initiate deletion.

How does this relate to my privacy policy?

They are related but separate documents. The privacy policy must describe users' rights to delete their data; the deletion URL is where they actually exercise that right. See our guide to privacy policy generators for mobile apps for the policy side.

Conclusion

The Google Play account deletion URL requirement is one of those compliance items that looks tiny on the policy page and turns into a weekend of work when you try to build it yourself. A form tool gets you a URL fast but leaves the compliant-copy and audit-trail problems unsolved. A purpose-built tool solves both without the engineering cost.

If you are building your own stack from scratch, the plumbing is straightforward — a form, an email verification step, a deletion queue, an admin log. If you are looking for the fastest path to a compliant URL, AppLander gives you one out of the box along with the rest of the compliance assets the App Store and Play Store ask for.

Sources

Ship your app faster with AppLander

The all-in-one compliance and landing-page platform for mobile app developers.

Start Free