At a minimum, I collect the IP number, time, method, URL, status, transfer length, refererring URL, and user agent of every request to the web server. I may collect other information I haven't mentioned.
I no longer archive all of this permanently, but I still do whatever I want with it.
What does this mean to you? Well, for instance, if you're using a website which puts its session IDs in URLs, and you access an image here while logged into that site, and you don't have referrer information turned off, I can access your session, if your request isn't too old. Probably this is illegal, and anyway the details of most people's lives don't interest me, because they're not very well written. Sorry if I offend, but it's true.
But when (not if, please note) Pan Transit gets hacked, the attackers get access to my log data, and they can access your sessions too, for an indefinite period, until I notice that the system has been hacked and do something about it.
Just so you know.