Question. Why is keeping passwords such a big deal? You should be storing them in a way that they're secure so that even if someone did get access to them they can't do anything with them.
Take the MD5 hash of the password plus a random salt when the account is generated, store it, and compare to that on login. MD5 hashes are one way and adding a salt into it randomly secures it somewhat against brute-forcing.
You don't really need an IP to validate ownership just use a session uid that expires in say, 10 minutes. Email a link containing that uid in a link as a URL param and validate that way. You could even keep a key in the browser cache that you check to see if it's the same browser that created the account.
That still leaves email storage which you could just get rid once the account is verified and leave it as username/password login. That way technically all you're storing is a username which isn't classed as "personal information" (not sure about EU rules).
Only permit the user to use the site once they're verified that way not just anyone can use it. Technically the same way it's set up now.
I also don't get why storing a build is such an issue also. All you're doing is storing parameters for the UI to show a build the same way you'd store someone's settings on their computer so that a user can edit it. I don't see a need for things to be deleted permanently especially because a lot of people rely on previously created builds.
There's a number of loopholes you can use to get around storing personal information. The EU is a sucker for this kind of stuff.
Hope that gives you any alternatives.
Source: Web/Software developer with adequate industry experience.