That works for any service where you don't fully control the other endpoint. They are just being transparent. Although the wording re: website is peculiar. Could it be their form of a canary like warning?
As a developer, I expect that smaller shops' infrastructure isn't as thoroughly locked down and things like passwords getting logged to splunk/ELK is tech debt, and par for the course. However that's a very specific exception though, to the point that instead of putting work into adding that into their disclaimer, they could have made sure the password wasn't being logged instead.
They deleted all of my data when one of my payments didn't go through, without notifying me. They are impossible to contact outside of passive aggressive email support. I deeply regret trying to trust this company with my data, which is now gone. Do yourself a favor before trusting them and give them a call and to ask about their services.