GDPR and CCPA are important issues for this sort of 3rd party PII management stuff.
I'd be _very_ hesitant to use this without some very strong guarantees that legal won't come breathing down my neck because I can't point them to a contractual guarantee that we will be complying with those (and similar rules from other jurisdictions).
I lose enough sleep worrying about PII that I store in databases I manage. Farming that responsibility out to a 3rd party does not fill me with joy, it raises instead lovecraftian levels of horror about what I'd tell a judge about how I ensured an EU citizen's rights to have their data expunged from my auth/userprofle system...
Quite often user profile data as well. Job title and company in a bunch of projects. Sometimes profile pics. Social media accounts. Location or address details - sometimes just coarse location like "Sydney", sometimes exact delivery addresses - sometimes geolocation co-ordinates used for geofencing or smart defaulting (Apple's new coarse geo location is a good thing here, but I wouldn't want to be the test case in court about whether or not that's PII). Phone numbers (if needed, like for SMS alerts or shitty 2fa verification requirements I can;'t talk people out of).
Where I cone from (.au) even an ip address is considered PII under our Privacy Act if it's linkable to another identifier - an ip address on it's own is not PII, but an ip address and an email address makes the ip address into PII as well as the email address. (It's unclear, but this likely includes storing a "last login date" in your email-containing database table that "could" be correlated to a login api call with an ip address in your log files, even if you are not actively doing that.)
I'd be _very_ hesitant to use this without some very strong guarantees that legal won't come breathing down my neck because I can't point them to a contractual guarantee that we will be complying with those (and similar rules from other jurisdictions).
I lose enough sleep worrying about PII that I store in databases I manage. Farming that responsibility out to a 3rd party does not fill me with joy, it raises instead lovecraftian levels of horror about what I'd tell a judge about how I ensured an EU citizen's rights to have their data expunged from my auth/userprofle system...