This should happen if a user hasn't logged in after 1 month of account creation.

It doesn't cost us anything to keep the data but in the event that there's a database leak and our password hash is bad (both unlikely, but it could happen) we would be putting users at risk if they reuse passwords (as so many do)