The type of data collected now includes the computer's processor, operating system and version, the user's IP address, and any crash reports, fatal error codes and messages generated by their machine. More concerning perhaps is the inclusion of a vague section listing data that must be collected "for legal enforcement, litigation, and authorities' requests (if any)."
The storage of said data is located in servers in the U.S., Russia, and the European Economic Area. For example, IP addresses are stored in an identifiable way for a day before being hashed and then stored in servers for a year, leaving users identifiable via government data requests.
In addition, the new policy prevents people under the age of 13 from using the software, which is a violation of the GPL license that Audacity uses.
Understandably, the policy changes have upset Audacity users, who have taken to Reddit and GitHub to question why an offline desktop app needs to "phone home" at all, and there is already discussion about forking Audacity into a separate open-source project that's free from the Muse Group's ownership and questionable data collection practices.