Pedro Reis (@pedromlsreis) asked a very post-launch question: after a burst of signups, how do you tell the real users from the disposable and unconfirmed ones, and what do you do with the fakes? His twist is that his product is privacy-first, so he logs nothing fingerprintable, and a tight cluster of signups with no follow-up activity was his only clue anything was off.
The room was near-unanimous on one thing: don't hard-delete. Soft-delete, mark inactive, purge much later. The warning that kept coming up was to never auto-delete an account that did something real, started a trial, uploaded data, even if they never confirmed, because that's a real user who's just lazy or distracted, not a bot.
Wasil (@wasil_abdal) had the most complete playbook: auto-delete unconfirmed accounts after seven days, but keep the soft-deleted row with a reason tag, and if the same email signs up again within 30 days, quietly restore the old record and resend the confirmation, no manual database surgery. Anastasiia (@alieksia) offered the opposite instinct, stop the cluster ever forming by verifying accounts before they touch your main table at all.