figma guide

Designing data retention policies and auto-deletion UI in Figma: lifecycle rules and handoff

Design data retention and auto-deletion UI in Figma with policy rules, grace periods, legal hold overrides, audit trails, and Dev Mode specs for enterprise compliance admin.

Published
Updated
Jul 15, 2026
Read time
7 min
Level
Intermediate

Quick answer

Data retention policies define how long org data is kept before automatic deletion—configured under Organization → Compliance → Retention. Design a policy rules table (data type, retention period, action, status); a policy editor with preview of affected records; grace period and soft-delete states before permanent purge; legal hold overrides that pause deletion per compliance exports; member offboarding tie-in when deprovisioning triggers shorter retention; and audit events logged to security activity. Start from the Figma guides hub and pair with Dev Mode handoff for scheduler specs and hold-conflict rules.


Who this is for

  • Product designers building enterprise Compliance settings, privacy admin consoles, and data lifecycle flows.
  • Design system teams aligning retention UI with privacy settings and compliance exports.
  • Engineers implementing retention schedulers, hold conflicts, and purge job states.

Retention policy entry points

LocationAudienceActions
Org → Compliance → RetentionCompliance adminCRUD retention rules
Legal hold detailLegal / complianceSee paused deletions
Member offboardingIT adminTrigger accelerated retention
Self-serve privacyEnd userView personal data timeline

Verdict: one Data retention settings page with rules table—do not bury per-data-type retention in unrelated Security menus.


Policy rules table

ColumnSpecNotes
Data typeAudit logs, inactive accounts, deleted files, session historyEnum from product catalog
Retention period30 days, 1 year, 7 years, indefiniteShow human label + ISO duration
Action at expirySoft delete → purge, anonymize, archiveLink to action glossary
StatusActive / Draft / PausedDraft for staged rollout
Records affectedCount estimateRefreshed nightly
Last runScheduler timestampLink to job log
ActionsEdit, Pause, DuplicateDelete requires confirm
RetentionRulesTable
├── Toolbar: [ Add policy ] [ Import template ] [ Run preview ]
├── Rows...
└── Footer: "6 active policies · next purge in 14h"

Import template for common frameworks: SOC2 (1yr logs), GDPR (account deletion 30d), HIPAA (7yr)—preview before apply.


Add / edit policy modal

FieldValidationHelper text
Data typeRequired, single select”What this rule applies to”
Retention periodMin 7 days unless legal overrideSlider + numeric input
ActionSoft delete, anonymize, hard purgeExplain irreversibility
Grace period0–90 days after soft deleteUser recovery window
ScopeOrg-wide / team / projectEnterprise tier
EffectiveImmediate / scheduledChange window
AddPolicyModal
├── Data type: [ Inactive member accounts ▾ ]
├── Retention: [ 90 days ] after last activity
├── Action: ( ) Anonymize  (•) Soft delete → purge
├── Grace: [ 14 days ] before permanent deletion
├── Preview: "~128 accounts match today"
└── [ Cancel ] [ Save policy ]

Show impact preview before save—estimate records, next purge date, and conflicts with legal holds.


Soft delete and grace period states

StateUser-visibleAdmin-visible
ActiveNormal access
Marked for deletionBanner: “Account scheduled for removal”Retention queue
Soft deletedLogin blocked; data recoverableTrash / recovery bin
Grace endingCountdown: “7 days until permanent deletion”Escalation email to admin
PurgedGoneAudit data.purged
SoftDeleteRecoveryBin
├── Filter: Data type · Scheduled purge date
├── Row: jane@acme.com · Soft deleted Mar 1 · Purge Mar 15
└── Actions: [ Restore ] [ Purge now ] (admin only)

Restore requires Compliance Officer role when org policy mandates separation of duties.


Legal hold pauses automatic deletion for held subjects or data scopes.

ScenarioUI behavior
Hold placed on memberRetention timer frozen; badge on member row
Hold releasedTimer resumes from paused point or restarts—configurable
Org-wide holdAll purge jobs paused; banner on Retention page
Conflict preview”12 records skipped due to active holds” in job report
RetentionJobReport
├── Scheduled: 340 records
├── Purged: 312
├── Skipped (legal hold): 12
├── Skipped (error): 0
└── [ Download report ] [ View hold list ]

Cross-link hold detail from skipped count—admin should not hunt across consoles.


Member offboarding tie-in

When offboarding runs, retention may accelerate:

Offboarding optionRetention effectUI copy
DeactivateStandard inactive-account policy”Data retained per org policy”
Delete after 30dOverride with shorter windowCheckbox on offboard modal
Immediate anonymizeBypass grace for PII onlyRequires extra confirm
Transfer ownershipFiles keep file-level retentionLink to asset transfer UI

Offboard modal should show effective deletion date computed from active policies—not a generic “data will be deleted.”


Self-serve privacy alignment

Privacy settings self-delete requests interact with org retention:

User actionOrg policyUI
Request account deletionOrg retention may delay”Processed within 30 days per org policy”
Download before deleteEncourage export firstLink to personal export
Cancel deletion requestAllowed during grace”Undo deletion” button

Footer on privacy page: “Your organization’s retention policies may extend storage of certain audit and billing records.”


Scheduler and job visibility

Job stateAdmin UIEnd-user UI
QueuedJob ID + ETANone
RunningProgress barNone
CompletedSummary countsEmail if account affected
FailedError + retryNone
PartialPer-record errors fileSupport contact
RetentionJobsLog
├── Columns: Job ID · Policy · Started · Status · Records
├── Filter: Last 30 days · Failed only
└── Row drill-down → RetentionJobReport

Expose next scheduled run on each policy row—admins need predictability for compliance audits.


Audit and compliance export

Log to audit activity:

EventPayload
retention.policy.createdPolicy ID, data type, period
retention.policy.updatedDiff of changed fields
retention.purge.completedCount, policy ID
retention.restoreActor, record ID
retention.hold_conflictSkipped count

Compliance exports should include retention policy config and purge job history for eDiscovery readiness.


Common mistakes

MistakeWhy it hurtsFix
No grace period on account deletionAccidental permanent lossDefault 14-day soft delete
Purge without hold checkLitigation spoliationSkip held records; log conflicts
Hidden scheduler failuresSilent non-complianceFailed job alerts to Compliance Officer
Same retention for all data typesOver-retain PII or under-retain logsPer-type policies
No restore pathSupport nightmareRecovery bin with role gate
User deletion blocked with no explanationTrust lossShow org policy reason + timeline
Preview missing on policy saveSurprise mass deletionImpact estimate required
Offboarding omits deletion dateHR confusionComputed date on offboard modal
Audit logs deleted too earlySOC2 failureSeparate long-retention rule for audit
Anonymize vs purge unclearWrong recovery expectationsAction glossary in UI

  1. Design retention rules table with add/edit modal and impact preview.
  2. Add soft-delete recovery bin with restore and admin purge-now actions.
  3. Wire legal hold badges and skipped-record reporting on purge jobs.
  4. Extend offboarding modal with computed deletion date and accelerated options.
  5. Align self-serve privacy copy with org retention overrides.
  6. Spec scheduler states and hold-conflict logic in Dev Mode.
  7. Link audit events for policy CRUD, purges, restores, and hold conflicts.

FAQ

Can retention policies differ by team?

Enterprise tier often supports team-scoped rules—show scope column and filter in admin table.

What happens to API keys when a member is purged?

Revoke keys immediately on soft delete; document in retention action glossary.

Does retention override IP allowlist or SSO?

No—retention governs data lifecycle; access controls are orthogonal. Cross-link docs only.

Can members see retention policies?

Summary only in privacy settings—full policy detail is admin-facing unless regulations require disclosure.

How do retention rules interact with SCIM deprovision?

SCIM delete should trigger the same retention pipeline as manual offboarding—show consistent deletion date in audit.


Next steps

Share on X

§ Keep reading

Related guides.