figma guide
Designing data retention policies and auto-deletion UI in Figma: lifecycle rules and handoff
Design data retention and auto-deletion UI in Figma with policy rules, grace periods, legal hold overrides, audit trails, and Dev Mode specs for enterprise compliance admin.
- Published
- Updated
- Jul 15, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
Data retention policies define how long org data is kept before automatic deletion—configured under Organization → Compliance → Retention. Design a policy rules table (data type, retention period, action, status); a policy editor with preview of affected records; grace period and soft-delete states before permanent purge; legal hold overrides that pause deletion per compliance exports; member offboarding tie-in when deprovisioning triggers shorter retention; and audit events logged to security activity. Start from the Figma guides hub and pair with Dev Mode handoff for scheduler specs and hold-conflict rules.
Who this is for
- Product designers building enterprise Compliance settings, privacy admin consoles, and data lifecycle flows.
- Design system teams aligning retention UI with privacy settings and compliance exports.
- Engineers implementing retention schedulers, hold conflicts, and purge job states.
Retention policy entry points
| Location | Audience | Actions |
|---|---|---|
| Org → Compliance → Retention | Compliance admin | CRUD retention rules |
| Legal hold detail | Legal / compliance | See paused deletions |
| Member offboarding | IT admin | Trigger accelerated retention |
| Self-serve privacy | End user | View personal data timeline |
Verdict: one Data retention settings page with rules table—do not bury per-data-type retention in unrelated Security menus.
Policy rules table
| Column | Spec | Notes |
|---|---|---|
| Data type | Audit logs, inactive accounts, deleted files, session history | Enum from product catalog |
| Retention period | 30 days, 1 year, 7 years, indefinite | Show human label + ISO duration |
| Action at expiry | Soft delete → purge, anonymize, archive | Link to action glossary |
| Status | Active / Draft / Paused | Draft for staged rollout |
| Records affected | Count estimate | Refreshed nightly |
| Last run | Scheduler timestamp | Link to job log |
| Actions | Edit, Pause, Duplicate | Delete requires confirm |
RetentionRulesTable
├── Toolbar: [ Add policy ] [ Import template ] [ Run preview ]
├── Rows...
└── Footer: "6 active policies · next purge in 14h"
Import template for common frameworks: SOC2 (1yr logs), GDPR (account deletion 30d), HIPAA (7yr)—preview before apply.
Add / edit policy modal
| Field | Validation | Helper text |
|---|---|---|
| Data type | Required, single select | ”What this rule applies to” |
| Retention period | Min 7 days unless legal override | Slider + numeric input |
| Action | Soft delete, anonymize, hard purge | Explain irreversibility |
| Grace period | 0–90 days after soft delete | User recovery window |
| Scope | Org-wide / team / project | Enterprise tier |
| Effective | Immediate / scheduled | Change window |
AddPolicyModal
├── Data type: [ Inactive member accounts ▾ ]
├── Retention: [ 90 days ] after last activity
├── Action: ( ) Anonymize (•) Soft delete → purge
├── Grace: [ 14 days ] before permanent deletion
├── Preview: "~128 accounts match today"
└── [ Cancel ] [ Save policy ]
Show impact preview before save—estimate records, next purge date, and conflicts with legal holds.
Soft delete and grace period states
| State | User-visible | Admin-visible |
|---|---|---|
| Active | Normal access | — |
| Marked for deletion | Banner: “Account scheduled for removal” | Retention queue |
| Soft deleted | Login blocked; data recoverable | Trash / recovery bin |
| Grace ending | Countdown: “7 days until permanent deletion” | Escalation email to admin |
| Purged | Gone | Audit data.purged |
SoftDeleteRecoveryBin
├── Filter: Data type · Scheduled purge date
├── Row: jane@acme.com · Soft deleted Mar 1 · Purge Mar 15
└── Actions: [ Restore ] [ Purge now ] (admin only)
Restore requires Compliance Officer role when org policy mandates separation of duties.
Legal hold interaction
Legal hold pauses automatic deletion for held subjects or data scopes.
| Scenario | UI behavior |
|---|---|
| Hold placed on member | Retention timer frozen; badge on member row |
| Hold released | Timer resumes from paused point or restarts—configurable |
| Org-wide hold | All purge jobs paused; banner on Retention page |
| Conflict preview | ”12 records skipped due to active holds” in job report |
RetentionJobReport
├── Scheduled: 340 records
├── Purged: 312
├── Skipped (legal hold): 12
├── Skipped (error): 0
└── [ Download report ] [ View hold list ]
Cross-link hold detail from skipped count—admin should not hunt across consoles.
Member offboarding tie-in
When offboarding runs, retention may accelerate:
| Offboarding option | Retention effect | UI copy |
|---|---|---|
| Deactivate | Standard inactive-account policy | ”Data retained per org policy” |
| Delete after 30d | Override with shorter window | Checkbox on offboard modal |
| Immediate anonymize | Bypass grace for PII only | Requires extra confirm |
| Transfer ownership | Files keep file-level retention | Link to asset transfer UI |
Offboard modal should show effective deletion date computed from active policies—not a generic “data will be deleted.”
Self-serve privacy alignment
Privacy settings self-delete requests interact with org retention:
| User action | Org policy | UI |
|---|---|---|
| Request account deletion | Org retention may delay | ”Processed within 30 days per org policy” |
| Download before delete | Encourage export first | Link to personal export |
| Cancel deletion request | Allowed during grace | ”Undo deletion” button |
Footer on privacy page: “Your organization’s retention policies may extend storage of certain audit and billing records.”
Scheduler and job visibility
| Job state | Admin UI | End-user UI |
|---|---|---|
| Queued | Job ID + ETA | None |
| Running | Progress bar | None |
| Completed | Summary counts | Email if account affected |
| Failed | Error + retry | None |
| Partial | Per-record errors file | Support contact |
RetentionJobsLog
├── Columns: Job ID · Policy · Started · Status · Records
├── Filter: Last 30 days · Failed only
└── Row drill-down → RetentionJobReport
Expose next scheduled run on each policy row—admins need predictability for compliance audits.
Audit and compliance export
Log to audit activity:
| Event | Payload |
|---|---|
retention.policy.created | Policy ID, data type, period |
retention.policy.updated | Diff of changed fields |
retention.purge.completed | Count, policy ID |
retention.restore | Actor, record ID |
retention.hold_conflict | Skipped count |
Compliance exports should include retention policy config and purge job history for eDiscovery readiness.
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| No grace period on account deletion | Accidental permanent loss | Default 14-day soft delete |
| Purge without hold check | Litigation spoliation | Skip held records; log conflicts |
| Hidden scheduler failures | Silent non-compliance | Failed job alerts to Compliance Officer |
| Same retention for all data types | Over-retain PII or under-retain logs | Per-type policies |
| No restore path | Support nightmare | Recovery bin with role gate |
| User deletion blocked with no explanation | Trust loss | Show org policy reason + timeline |
| Preview missing on policy save | Surprise mass deletion | Impact estimate required |
| Offboarding omits deletion date | HR confusion | Computed date on offboard modal |
| Audit logs deleted too early | SOC2 failure | Separate long-retention rule for audit |
| Anonymize vs purge unclear | Wrong recovery expectations | Action glossary in UI |
Recommended workflow
- Design retention rules table with add/edit modal and impact preview.
- Add soft-delete recovery bin with restore and admin purge-now actions.
- Wire legal hold badges and skipped-record reporting on purge jobs.
- Extend offboarding modal with computed deletion date and accelerated options.
- Align self-serve privacy copy with org retention overrides.
- Spec scheduler states and hold-conflict logic in Dev Mode.
- Link audit events for policy CRUD, purges, restores, and hold conflicts.
FAQ
Can retention policies differ by team?
Enterprise tier often supports team-scoped rules—show scope column and filter in admin table.
What happens to API keys when a member is purged?
Revoke keys immediately on soft delete; document in retention action glossary.
Does retention override IP allowlist or SSO?
No—retention governs data lifecycle; access controls are orthogonal. Cross-link docs only.
Can members see retention policies?
Summary only in privacy settings—full policy detail is admin-facing unless regulations require disclosure.
How do retention rules interact with SCIM deprovision?
SCIM delete should trigger the same retention pipeline as manual offboarding—show consistent deletion date in audit.
Next steps
- Design compliance exports and legal hold UI in Figma — hold overrides on purge jobs
- Design privacy settings and data management UI in Figma — self-serve deletion requests
- Design member offboarding and deprovisioning UI in Figma — accelerated retention on exit
- Design audit log and security activity UI in Figma — policy and purge events
- Figma Dev Mode for designers: handoff checklist — scheduler and conflict specs
§ Keep reading