Here is some information on this topic, just a little outdated. But, perhaps, nothing has changed since then.
https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_datasending_2014_en.pdf
And some more information from another antivirus laboratory.
AV-Test has conducted a thorough analysis of the English-language privacy policies of 26 antivirus programs and provides a comprehensive assessment of the market situation. In fact, only 24 documents were analyzed, because the two antiviruses do not include any privacy policy at all - neither on the manufacturer's website, nor during the installation of the program. In almost every privacy policy researched, the manufacturer assumes a large number of access rights that should not be required when using an antivirus product. Instead, according to vendors, this information is used for product optimization purposes, as well as to adjust the marketing campaign of the developer and partner companies. In each of the analyzed documents, the manufacturer reserves the right to transfer the collected data to third-party companies.
In most cases, the data collected includes your username, email address, and billing information. Vendors are also interested in additional contact information, including phone numbers. This information is probably used to impose additional products and services on the user, but they are not used when the antivirus is running. Among other things, this can be proved by the fact that absolutely all development companies collect this data.
Some vendors allow themselves too much. According to the results of AV-Test analysis, it turned out that some manufacturers are gaining access to biometric data stored on a computer. The testers were perplexed when they discovered that the antivirus program was requesting access to digital fingerprints. It is very difficult to explain how information about the user's gender, activity, race or sexual orientation can help the antivirus work. There may be some enterprising marketers involved. Moreover, if we consider tracking user behavior, then many vendors are generous in this matter - 15 out of 24 manufacturers require access to the browsing history in the browser of their users. Six products request access to their search history. Five companies reserve the right to check email. Only two vendors offer the ability to access the address book. What's more, anti-virus software vendors are also interested in getting user activity data on social networks. One of the development companies reserves the ability to publish posts on behalf of the user. Some other products try to participate in chat sessions, or at least access your chat history.
The simplest explanation for such an extensive collection of device data is to protect the information on the device and the applications installed on it. After all, it is the competence of the antivirus to block malicious programs that disguise themselves as legitimate applications and try to gain access to data. That is why vendors ask for basic information: IP address, device ID, operating system, installed applications. Although it must be admitted, not all of them capture this data, but there are some non-standard requests: GPS coordinates detection (5 developers), WLAN positioning (4 developers). However, this can also be explained by the work of the anti-theft function. However, users should keep in mind that they pay for additional device protection by tracking their own movements. In 10 of the 24 analyzed policies, vendors reserved the right to compile “user statistics”. It is not clear exactly what data is meant: using an antivirus program, using a device, or a collection of completely different data. In this area, as in many other sections, agreement terminology is extremely vague.
The fact that many users ignore the general terms and conditions and privacy policy is not surprising. On the one hand, users can be overwhelmed by the sheer volume of agreement. The average length of the privacy policies tested is 12 pages. Moreover, in many cases, their appearance seems to hint that the manufacturer is not interested in understanding the content of the agreement.
An additional test of the readability of the text and the use of appropriate analytical programs showed that many privacy policies are too complex. In other words, the conventions are incomprehensible to the average user. Long sentences and an abundance of technical terms only complicate the understanding of such a vast amount of information. In addition, most developers cannot unequivocally answer the question of the conditions and duration of data storage. Where is user information stored? How long will this data be kept? What data is transferred to third parties, and who are these partners? Many security vendors have failed to provide a satisfactory answer to these questions in their privacy policies.