FAQ

What is the right to erasure?

Article 17 GDPR gives you the right to request that companies delete your personal data. Companies have 30 days to respond after receiving your request. For particularly complex requests they may extend the deadline by up to two further months, but must notify you within the first 30 days. The right applies to all individuals residing in the EU/EEA.

How does WipeMe work?

WipeMe follows three steps:

• 1
  You connect your email account via IMAP using an app password.
• 2
  WipeMe scans your inbox for sign-up confirmation emails and identifies which services you are registered with.
• 3
  WipeMe generates legally appropriate deletion requests and sends them directly through your own SMTP server.

Is it safe to enter my email password?

Your credentials are encrypted client-side using AES-256-GCM before leaving your device. The WipeMe server processes them exclusively in RAM for the duration of the scan or sending operation and immediately discards them afterwards.

• No database, no log file, no disk storage.
• Recommended: use an app password instead of your main password.

What is an app password?

An app password is a separate, specially generated password for third-party applications that you can create in your email provider's security settings. It allows WipeMe to access IMAP/SMTP without exposing your actual account password. App passwords can be revoked at any time. Gmail, Outlook, GMX, web.de, and most other providers support this feature.

Which email providers are supported?

WipeMe natively supports the most common providers:

• Gmail, Outlook / Hotmail
• GMX, web.de
• Yahoo Mail, iCloud Mail
• ProtonMail (via the Bridge)

Beyond these, WipeMe works with any email account that offers IMAP and SMTP — you can enter server details and ports manually.

How long do companies have to respond?

Under GDPR, companies have 30 days to respond to a deletion request. For particularly complex or numerous requests they may extend the deadline by up to two further months. They are then required to inform you of the extension within the first 30 days and provide a reason.

What happens if a company does not respond?

WipeMe will alert you in the tracking dashboard when the 30-day deadline approaches and help you send a follow-up email.

If the company still does not respond, you can file a complaint with the relevant data protection authority — for example the ICO in the UK or your national supervisory authority within the EU.

Does WipeMe cost anything?

No. WipeMe is completely free and open source under the MIT license.

• Free to use at wipeme.cc.
• Self-hostable on your own infrastructure.
• No premium version, no advertising, no hidden fees.

Is WipeMe open source?

Yes. WipeMe is licensed under MIT. The full source code is available on GitHub, fully auditable, and free to use, fork, and self-host. Transparency is a core principle: you can see exactly what WipeMe does with your data — which is nothing permanent.

Where is my data stored?

Exclusively in your own browser. No user data is stored on the server.

• localStorage — found services, send status, language preference.
• sessionStorage — encrypted credentials, deleted automatically when you close the tab.
• All locally stored data can be deleted at any time through the app or your browser settings.

Can I send all requests at once?

Yes. When you select multiple services, the bulk send dialog opens. You enter your name once, pick the language, and WipeMe sends to each service in sequence. You see a progress bar throughout and a summary at the end showing what worked and what did not.

Does WipeMe find newsletter subscriptions too?

Yes. In addition to sign-up confirmations, WipeMe also detects newsletter subscriptions. In the results you can filter between accounts and newsletters. Newsletters get their own template that combines unsubscribe and data deletion in one request.

Can I import accounts from my password manager?

Yes. You can upload a CSV export from Chrome, Firefox, 1Password, or Bitwarden. WipeMe only reads the URLs, matches them against the company database, and ignores the passwords entirely.

The file never leaves your browser.

Which privacy laws are supported?

WipeMe generates requests for ten legal frameworks:

• GDPR (EU) — 30 days
• UK GDPR — 30 days
• CCPA (USA) — 45 days
• LGPD (Brazil) — 15 days
• DPDPA (India) — 90 days
• PIPA (South Korea) — 14 days
• PDPA (Thailand) — 90 days
• APPI (Japan) — 21 days
• Quebec Law 25 (Canada) — 30 days

The right framework is selected automatically based on where the company is based.

Can I send an access request instead of a deletion request?

Yes. In the request dialog you can switch between a deletion request and an access request (Art. 15 GDPR). The access request asks for a copy of all data held about you. Same deadlines, same tracking.

Does WipeMe detect replies from companies?

The tracking dashboard has a "Check replies" button. WipeMe scans your inbox for emails from companies you contacted and looks for common response patterns like "your data has been deleted".

Found replies are shown as suggestions. You decide whether to mark them as done.

Does WipeMe remind me about upcoming deadlines?

You can enable browser notifications. WipeMe then checks on open whether any deadlines fall within the next 7 days and shows a notification.

You can also export all deadlines as an .ics file, so Google Calendar, Outlook, or Apple Calendar sends the reminder directly.