To establish a connection, your IP address is transmitted, but not saved. The private key and the FMD ID are saved temporarily in your browser. They are removed when leaving the page.
In plaintext:
Encrypted:
Important: you need to keep your password safe! Your password is used to unlock the encrypted private key.
Your data is only used to provide the functionality of finding and controlling your device. It is not given to other parties.
Your device creates an RSA-3072 keypair during registration. The private key is encrypted symmetrically with AES-GCM-256 with an Argon2 hash of your password as a key. Then the keypair is uploaded to the server.
Every time your device sends data, it uses the public key to encrypt this data and uploads the encrypted data to the server.
When you access the web page and enter your user id and password, the web page derives another Argon2 hash (with a different context string) from your password and sends it to the server. This proves to the server that you know the password without actually sending it to the server. The web page then downloads the keypair from the server and decrypts the RSA private key. It can then download any other data, such as the location, and can locally decrypt them in your browser using the RSA private key.
Only the server operator has access to the database. But all important data is encrypted anyway.
You can delete your account using the "Delete Account" button in the web interface and in the Android app.