Reportedly, the records include usernames, hashed passwords (SHA-256), date joined, last login date, email addresses, first and last names, account profile (staff member/a superuser), account status etc.
Some are selective in their interpretation of privacy depending on where such data is posted and this is the mindset that led to outrage against the Aarogya Setu app.