Quite often user profile data as well. Job title and company in a bunch of projects. Sometimes profile pics. Social media accounts. Location or address details - sometimes just coarse location like "Sydney", sometimes exact delivery addresses - sometimes geolocation co-ordinates used for geofencing or smart defaulting (Apple's new coarse geo location is a good thing here, but I wouldn't want to be the test case in court about whether or not that's PII). Phone numbers (if needed, like for SMS alerts or shitty 2fa verification requirements I can;'t talk people out of).
Where I cone from (.au) even an ip address is considered PII under our Privacy Act if it's linkable to another identifier - an ip address on it's own is not PII, but an ip address and an email address makes the ip address into PII as well as the email address. (It's unclear, but this likely includes storing a "last login date" in your email-containing database table that "could" be correlated to a login api call with an ip address in your log files, even if you are not actively doing that.)
