To establish a connection your IP address is transmitted, but not saved. While using the website the private key and the user-id will be saved temporarily in your browser, but will be removed when leaving the page.
The server stores the plaintext random user id and your password hash. It also stores all encrypted data uploaded by your phone: location, date, any pictures, battery level, the public key, and the encrypted private key.
Your data is only used to provide the functionality of finding your device. It is not given to other parties.
Yes, except the user id all data is encrypted. But you need to keep your password safe!
Your device creates an RSA-3072 keypair during registration. The private key is encrypted symmetrically with
AES-GCM-256 with the Argon2 hash of your password as a key. Then the keypair is uploaded to the server.
Every time your device sends data it uses the public key to encrypt this data and uploads the encrypted data to
the server.
When you access the web page and enter your user id and password, the web page derives a different Argon2 hash
from your password and sends it to the server. This proves to the server that you know the password without
actually sending it to the server.
The web page then downloads the keypair from the server and decrypts the RSA private key.
It can then download any other data, such as the location, and locally decrypt it in your browser.
Only the server operator has access to the database. But all important data is encrypted anyway.
Log in with the FMD app and click "Delete data".