Root671402yIm surprised more sites don't strip out /\+[^@]+/ to help mask their sale of PII.
A second reply after I asked for some clarification:
"I have discussed this again with our ICT department and they will not add support for a plus sign in email addresses. I cannot go into details about this because of security reasons.
I hope Ive informed you enough about this.
Even though your products are great I have the feeling my personal details are not stored in a safe way. Hereby I would like to first receive all data you have collected about me and afterwards delete all information you have on me according to the right to be forgotten section of the GDPR.
Im curious what their reaction to this will be. If their ICT department keeps saying it is a security risk and they cannot say why either they are lying or their system is, as we dutch say it, as leak as a basket.