How to hand over client accounts when you stop working
How to hand over client accounts when you stop working: a 6-to-12-week plan to confirm the end date, transfer Google Ads and Meta ownership, and revoke access last.
Treat the handover as a 6-to-12-week arc, not a final-day scramble: confirm the end date in writing, deliver final assets to client-controlled locations, transfer real platform ownership, and only then revoke your own access and log the date. The order matters more than the speed — pull your access too early and you can lock both parties out of the same account.
What does the full offboarding timeline look like?
A clean handover breaks into three phases: pre-exit, exit, and post-exit. Pre-exit starts about two weeks before the final day, exit is the final week, and post-exit runs up to 90 days after you stop.
The very first pre-exit step is to confirm the end date in writing — a short email referencing the contract clause — so everyone on the account knows the engagement is ending and on what date. Nothing else moves cleanly until that date is fixed and shared.
| Phase | When | What happens |
|---|---|---|
| Pre-exit | ~2 weeks before final day | Confirm end date in writing; notify everyone on the account; confirm you are handing over the current version of every deliverable |
| Exit | Final week | Deliver final assets to client-controlled locations; transfer access and ownership; then revoke your own access and document the date |
| Post-exit | Up to 90 days after | Thank-you note within 48 hours; no-agenda check-in around day 30; referral request day 30-60 |
What assets do you actually hand over, and where?
During the exit week you deliver every final asset — source files, brand kits, content libraries, data exports — into locations the client controls, not a shared folder that still lives in your account. Alongside the files, you transfer access and credentials for the domain, hosting, analytics, ad accounts, CMS, and social profiles.
Before any of that, confirm you are delivering the current version, that every dependency is accounted for, and that the work matches what was signed off on. Handing over a stale file is worse than handing over nothing, because it looks finished.
How do you transfer credentials securely instead of dumping them in plain text?
Share credentials for WordPress, social media, and third-party APIs through a secure password manager, not plain text. A plain-text login pasted into an email leaves a copy in two inboxes forever.
1Password lets you share a single item via a unique link, even with people who do not use the app. You can restrict the link to specific email addresses and set it to expire after 30 days, 14 days, one day, one hour, or a single view — which fits a handover that needs only temporary access. One detail to know: the link shares a snapshot copy created at the moment of sharing, not the live item, so if you change a password after sharing, the recipient still sees the old one unless you share again. For access that needs to last, 1Password guest accounts let you invite a contractor into a shared vault holding only the items their job requires.
If you want a documented way to stage this before you ever go unreachable, here is how to give someone account access in an emergency without ever exposing the passwords themselves.
How do you transfer real ownership of Google Ads and Meta accounts?
Shared access is not ownership. Transferring true control follows platform-specific steps, and the sequence is what protects you from locking anyone out.
Google Ads. In a manager (MCC) account, the client account still owns its data and can always unlink a manager that holds ownership. A client account can only have one owner at a time. An administrator on the owner manager account transfers control through Sub-Account Settings by picking a new manager in the Owner column dropdown, or by removing all owners so the client can turn on ownership for a different manager. To remove your own agency access, go to the Users page under Access and security and click Remove access next to your email. If billing moves too, the current paying manager uses Billing transfers, Change who pays, External Billing Transfer, enters the new manager's 10-digit ID, and the new agency has 7 days to approve before the transfer auto-cancels.
Meta. One Business Manager owns the ad account, and others are granted access to it. To hand the account to a client, go to Business Settings, Ad Accounts, select the account, then Assign Partners, connect by Business ID, paste the client's Business ID, and grant the Manage Ad Account (Admin) toggle. Do not remove your own access until the new owner confirms they have full control and have added their own payment method — and add the new payment method before removing the old one to avoid interruptions in ad delivery.
The rule across both platforms is identical: revoke yourself last, and only after the other side confirms everything runs.
Who legally owns the work, and which contract clauses govern the handover?
Consultant and freelance agreements usually state that all work product becomes the sole and exclusive property of the client, with all right, title, and interest assigned over. But that assignment has to be written down. Under the U.S. Copyright Act, work by an independent contractor counts as work made for hire only if it is specially ordered or commissioned, there is a signed written agreement, and it falls into one of nine enumerated statutory categories (such as a contribution to a collective work, a translation, a compilation, an instructional text, or a test). Most software, business documents, and marketing materials do not fit those categories, so without a separate IP assignment clause the client may not own the copyright.
Termination terms matter just as much. Without a clear termination clause, a freelancer risks sudden cancellation without compensation or being stuck in unfavorable terms. A good clause specifies the notice period, termination for cause versus convenience, and payment for work already completed.
What are your data obligations after the engagement ends?
If you process personal data on a client's behalf, GDPR sets the floor. Under Article 28, a processor must, at the controller's choice, delete or return all personal data after the services end and delete existing copies, unless Union or Member State law requires keeping them.
Retention is not open-ended. Personal data may only be held while the purpose it was collected for stays active; when that purpose ends, so does the legal basis, and the deletion has to cover backups and archives, not just live systems. The responsibility does not stop at instructions either — controllers must verify that processors actually deleted the data, so "we told them to delete it" does not discharge the obligation.
How do you close out money and the relationship?
Pair the asset and access transfer with a clean financial close: a final invoice with any pro-rated amounts and third-party receipts, an exit conversation, and structured follow-up after the final day.
Use this post-exit checklist so the last impression you leave is a competent one rather than a silence:
- Thank-you note within 48 hours of the final day
- No-agenda check-in around day 30 to surface anything that broke after you left
- Referral request between day 30 and 60, aimed at named contacts rather than a blanket ask
- Confirm the client can log into every transferred platform without you
- Log the date you revoked your own access, per platform
Frequently asked questions
In what order do I remove my own access? Last. Deliver assets, transfer ownership, and confirm the client can operate everything before you revoke yourself. In Meta specifically, do not remove yourself until the new owner has full control and has added their own payment method.
Does the client automatically own everything I made? No. Work product is usually assigned to the client by contract, but work made for hire applies only to nine enumerated categories with a signed agreement; most deliverables need a separate IP assignment clause for the client to hold the copyright.
How long should the whole process take? Plan for 6 to 12 weeks across pre-exit, exit, and post-exit, with follow-up running up to 90 days after the final day.
Can I just email the passwords? Better not to. Share through a secure password manager, and for temporary handover access use an expiring 1Password link limited to set email addresses.
What do I owe on personal data after we part ways? If you are a processor under GDPR, delete or return all personal data at the controller's choice once services end, and the controller must confirm the deletion actually happened.
Sources
- Client offboarding checklist — Rock
- The exit clause: offboarding retainer clients professionally — DoHost
- Sharing passwords with guests — 1Password
- About the security of sharing items using a unique link — 1Password Support
- About account ownership (manager accounts) — Google Ads Help
- Manage access to your account — Google Ads Help
- Transfer billing to a new manager — Google Ads Help
- How to transfer Meta ad account ownership — Graphed
- Ad account ownership transfer best practices — Adamigo
- Ownership of work product clause — Afterpattern
- 17 U.S. Code § 101 — Definitions (Legal Information Institute, Cornell Law)
- 5 must-have clauses for any freelancer contract — freelancermap
- Art. 28 GDPR — Processor
- EU data retention rules under GDPR — Secure Privacy