They need to own up to their mistake sending PII to an analytics tool. They could have easily sent a uuid identifier for each user instead of email, name and organisation. Seems like a major blunder on their side.