I am not even sure whether they will really destroy the said KYC data after everything is processed and verified. You know, private companies, especially big firms with huge market shares do not really do what they tell the customers, and so I'm still not certain as to whether Bitpay would really delete the data after all.
Once you have KYC verified yourself, you should assume that your information is stored on X Y Z servers for ever. I would never take the word of a company (regardless of how established they are) serious when they tell me that they have deleted most of the sensitive information they have about me.
Even if they did truly delete your data, who says they haven't been hacked? Or that an employee copied their database and use it to extort them at a later stage through a proxy? I rather be paranoid than too comfortable in times where crazy things are happening with people's information. Crypto as a whole is too immature and unprofessional to take serious.