The company in question should no, no matter what, resell data to other company or personnal institut.
All the user data should be encrypted with a private key generate at the userr creation.
User should always have a clean eyes on his data available or store.
User should always have a clear control of his data. Be able to remove/modify it at any moment, no matter what.
Consider using a strong password.
Consider using different password for every services.
Consider don't store your password.
Consider using 2FA when availble, it's recommended to use the company one instead of generic like the Google one.
Consider don't store data.