Move to safer account deletion model

Currently, we immediately delete an account's data once it's considered inactive. If there was a mistake, this leaves us in an unpleasant position where we can't restore a user's data. We should instead delete the user's auth account immediately but queue their actual data to be deleted 30 days later.