Your questions are answered in chapter 4.11 of their privacy policy.
This is why you got flagged:
To minimize our business risk and to prevent the misuse of our services, we carry out a check based on general risk factors when new customer accounts are registered.
Our system makes a prediction about how likely it is that you will meet your contractual payment obligations and use our services responsibly. The result of this preliminary check may influence whether we enter into a contractual relationship with you. During the assessment, the data you provide as well as technical characteristics are processed. This data is compared with our previous experience and evaluated with the help of an external service provider for risk analysis.
And this is how they minimize risk of leaking your PII:
If verification is carried out by iDenfy, your data will be stored for two months.
In all other cases, the data will be deleted immediately after the verification is completed.
Hetzner is an odd one. I created an account and got flagged immediately after, followed up by a prompt asking me to upload a copy of my passport.
I just want to spin up a server. How can they guarantee that my personal identification will be safe and secure in case of a data breach?
Your questions are answered in chapter 4.11 of their privacy policy.
This is why you got flagged:
And this is how they minimize risk of leaking your PII: