CrowdSec doesn’t export the log, just some meta: timestamp, attack type, aggressive IP.
An IP is considered a private data as per the GDPR standard if it can help identify the user behind it. Here, the GDPR recital 49 makes it very clear that in the context of defensive tools, it is allowed to handle them.
Nevertheless, after 6 months (instead of 1 year allowed by the GDPR), we “blur” the IP in a range (ie 92.56.43.21 → 92.56.43.0/24) and do the same for the timestamp (is 12:34:56 → 12:00 - 13:00).
The combination of time and IP “blurring” is enough for CrowdSec to render its service, yet it’s a way to protect privacy even further than demanded by the GDPR regulatory framework.
Moreover, if you’re in a stricter regulatory framework even, you can disable IP sharing entirely. As well, remember that