I'm somewhat knowledgable on privacy topics, pasting my answer to another comment:
The EDPB has explicitly ruled on that, when it comes to age verification^1, you should delete: "Trust models are crucial to prevent data breaches in age assurance contexts [...] once the user's age is verified, no record of the personal data used for the age assurance process is kept".
^1: https://www.edpb.europa.eu/system/files/documents/2025-04/ed..., number 36.
I agree with the theory, but I guarantee you that in practice the vast majority of orgs are storing way more data than they should.
Can't find the reference by date. What's the name of the document?
Fixing the link: https://www.edpb.europa.eu/system/files/documents/2025-04/ed...