I guess this is a cultural thing @jay. We take our lead from GDPR and don’t collect any customer information that is not required in order to provide the service.
We used to do things differently and would collect as much information as we could for marketing. But we live in a different world now where bits of personal data scattered across the internet can be stitched together in ways previously impossible.
No business that gathers user data can guarantee that data is not shared in some way. You can only do your best, but if your best fails, as it often does, you can be liable.
So we no longer hold anything other than an email address that is used to login. We use other providers for authentication. We use other providers for payment processing. Our users are virtually anonymous to us and our business continues to grow.
Clearly authentication and payment providers need to know more about us. They also need to know more about our customers. But we do not need to know more about our customers and we prefer service providers who do not ask for any information they do not require beyond the provision of the service.