Merge pull request #8079 from open-sausages/pulls/4/docs-login

Personal data usage docs corrections

docs/en/02_Developer_Guides/09_Security/06_Personal_Data.md

@@ -44,13 +44,18 @@ SilverStripe will default to using PHP sessions for tracking logged-in users,
 which uniquely link users to their device/browser through a session cookie.
 If the user chooses the "Remember me" feature on login,
 this unique link will persist across sessions. 
+The default cookie lifetime for this feature is 48h.
+See `SilverStripe\Security\Member::$auto_login_token_lifetime` for details.
 
 ## Login Attempts
 
-SilverStripe can be configured to record login attempts, in order to lock out users
+SilverStripe is configured by default to record login attempts, in order to lock out users
 after a defined number of attempts, and hence limit the attack surface of the login process.
 This is predicated on tracking the IP address of the attempt, which can be considered personal data.
-See `SilverStripe\Security\Security::$login_recording` for details.
+IP addresses related to these attempts are stored indefinitely unless manually purged
+from the `LoginAttempt` table.
+See `SilverStripe\Security\Security::$login_recording` and
+`SilverStripe\Security\Security::$lock_out_after_incorrect_logins` for details.
 
 ## Logging and Exceptions