The regulations I know about KYC (and which are valid in the EU, for example) require exactly that, yes. Companies like Roobet are not allowed to do the checks themselves, but KYC is done by an external and certified company. However, since Roobet is not based in the EU, I do not know if this also applies here.
But the main thing is: the data would have to be deleted immediately after the review and may not be kept. Whether anyone adheres to this is of course another question ...
But i don't think so that data is deleted immediately as most of them tend to save it for some period in their database for some verifications don't know but this issue has been raised beforehand also.The data leak chances are definitely there if third party is at breach whosoever do this task based in EU so your personal information is at risk there but some more secured ways should be there.
I also believe that we are talking about a situation where EU laws do not apply if a company is not from EU, so there isn't really any requirement for them not to hold it. Maybe they are still holding it and they are not deleting it? How would we know? Or they are doing their own checks themselves? How would we know? Is there any way of knowing if they are the ones that does the checking or not?
As far as I know, even if they follow the rules and the laws, they could literally loophole around them as well. Like let’s say they are required to get a third party to do it, what if someone from the company, or a family member, or a friend opens one up, and does it, and that’s basically following the law?