the safest way would probably use a system where data is stored briefly in a cryptographic way and deleted after verification
but I bet most of the websites store it indefinitely.
The regulations I know about KYC (and which are valid in the EU, for example) require exactly that, yes. Companies like Roobet are not allowed to do the checks themselves, but KYC is done by an external and certified company. However, since Roobet is not based in the EU, I do not know if this also applies here.
But the main thing is: the data would have to be deleted immediately after the review and may not be kept. Whether anyone adheres to this is of course another question ...
But i don't think so that data is deleted immediately as most of them tend to save it for some period in their database for some verifications don't know but this issue has been raised beforehand also.The data leak chances are definitely there if third party is at breach whosoever do this task based in EU so your personal information is at risk there but some more secured ways should be there.