The answers to your questions are mostly publicly available on fincen.gov web site (with the exception of our own security procedures), but I'll summarize relevant answers as it might take you some time to read there.
- We collect email, IP, trade info, and if optional "Know Your Customer" data is supplied by the customer, the trades are linked to the identify info (pretty obvious, I guess).
- Like deposits and withdrawals to US banks, we're required to file "Currency Transaction Reports" for total trades over 10K USD in value in day (and they can't be filed for lesser total amounts during a day). These reports are "routine" reports, they don't generally indicate much.
- There are also "Suspicious Activity Reports" which can be filed by the business on amounts over $2K USD in value if the business in its own opinion deems the transactions to be suspicious. An example of when this could happen would be if a bunch of Steem accounts suddenly sent funds to an account controlled by a known scammer. These reports are more serious, since they indicate the business suspects some form of illegal activity.
- The above reports are sent to FINCEN. I don't know under what circumstances FINCEN will share these reports with other countries, but my best guess is they will only share it if they think the other country can help in a criminal investigation.
- They don't normally make "requests" of the type you're describing except in the case where there is an active criminal investigation, and in such cases they must obtain a court-ordered subpoena for the data. It is possible to challenge such requests, but generally they are investigating stolen crypto funds (they actually tell you the reason for the request) and I don't have a problem providing the data in such a case, as I have no sympathy for crypto thieves. By the way, such requests are nothing new, we've always been required to assist in such investigations (as does any crypto company where its principals are known, I would guess). The subpoenas for these types of court orders explicitly require that you don't reveal the information to the subject of such an investigation, at a potential penalty of obstruction of justice.
Regarding the limits, I believe they are necessary to meet FINCEN reporting requirements outlined above if the business is a crypto exchange. I suppose it's quite possible that many crytpo exchanges outside the US are ignoring these requirements, since their principals probably reside in other countries. But generally, when you file a Currency Transaction Report, you are expected to provide basic identity information, not just an email. And 2 BTC is more than 10K USD now.
As to remaining question about the security of customer information, we are maintaining it at a highly privileged level (same as we have always maintained customer information). The data is stored on the same servers where we keep our crypto wallets and it is only accessed by 3 highly trusted and trained personnel here.