That works for any service where you don't fully control the other endpoint. They are just being transparent. Although the wording re: website is peculiar. Could it be their form of a canary like warning?
As a developer, I expect that smaller shops' infrastructure isn't as thoroughly locked down and things like passwords getting logged to splunk/ELK is tech debt, and par for the course. However that's a very specific exception though, to the point that instead of putting work into adding that into their disclaimer, they could have made sure the password wasn't being logged instead.
