For sites hosted on saltcorn.com there is a central database storing all the information. None of this data is sent to a third party. We store all the crashes that occur on sites built on saltcorn.com, this helps to discover bugs.
When self hosting from packages or docker images, no information is sent to a central server or shared with a third party. No telemetry of any kind has been enabled.
It should only make outbound connections in these cases:
A cookie is set on the user's browser but this is a functional cookie used to track whether the user is logged in or not, so cookie consent is not required.
Crashes that occur on self hosted applications are not sent to a remote server, they just go into the crashlog of the root tenant on that server.
IP addresses are not currently stored, but I think they probably should be stored if you set up the EventLog to store Login events, so this may change in the future.
There may be other logging components in the system that track IP addresses (e.g. if you use nginx as a proxy, that may log IP addresses). To the best of my knowledge, the images created on DigitalOcean do not log ip addresses, but I have not checked this in depth.