diff --git a/internal/db/db.go b/internal/db/db.go
index 12ddac5..d018b4d 100644
--- a/internal/db/db.go
+++ b/internal/db/db.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"
 	"log/slog"
+	"time"
 
 	_ "modernc.org/sqlite"
 )
@@ -27,6 +28,18 @@ func Open(path string) (*sql.DB, error) {
 	return db, nil
 }
 
+// PurgeExpired deletes expired sessions and used/expired password reset tokens.
+func PurgeExpired(database *sql.DB) error {
+	now := time.Now().UTC().Format(time.RFC3339)
+	if _, err := database.Exec(`DELETE FROM sessions WHERE expires_at < ?`, now); err != nil {
+		return fmt.Errorf("purge sessions: %w", err)
+	}
+	if _, err := database.Exec(`DELETE FROM password_resets WHERE expires_at < ? OR used = 1`, now); err != nil {
+		return fmt.Errorf("purge password_resets: %w", err)
+	}
+	return nil
+}
+
 func runSchema(db *sql.DB) error {
 	stmts := []string{
 		`CREATE TABLE IF NOT EXISTS customers (