The logic is straightforward: if 20 or more consecutive failed login attempts are detected on an account, the system automatically locks it as a security measure. Once locked, the legitimate account owner must complete an identity verification step — such as confirming via email, phone, or a backup authentication method — in order to regain access and unlock their account.
If the account remains locked and the owner fails to verify within a configurable inactivity window (defaulting to 3 months, but adjustable by the user up to 8 months or more), the account enters a deletion process — not an instant wipe.
Warning Notifications

Before deletion occurs, the system sends a series of alerts to the account's registered contact (email, phone, or both):

30 days before the deadline — first warning
7 days before — urgent reminder
24 hours before — final notice

Each notification includes a direct link to the verification flow, making it easy for the owner to recover their account before time runs out.
Grace Period After Deletion

If the deadline passes and the account is deleted, it is not immediately permanent. A 30-day grace period begins, during which the user can still recover their account and all associated data by completing verification. Once the grace period expires, the deletion becomes hard and irreversible — all data is permanently purged from the system.