Since you're also obligated to secure said data storing the IPs from brute force attempts is not only fine but almost a requirement. You're not making the connection to any individual and the use-case is legitimate.