Without it documented why I am collecting it, how I use it and how I store and delete it, it is non-compliant that I am collecting it at all. I think that you are assuming that they know it is being collected and that they are supposed to use it for something. They don't. It is not essential at all to the operation of the service if you don't actively monitor it. Saying it could potentially be used for some kind of security function seems like a CYA if you aren't actually doing that.
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.
Do you disagree with this TLDR of the regulation?
https://www.smartsurvey.co.uk/articles/gdpr-compliant-with-d...
Without a bunch of work that hasn't been done I seriously doubt that they can give Right to Access, Right to be Forgotten, Data Portability, Privacy of Design and it does clearly state it is Personal Data.