Anyone who tells you they're "encrypting" email addresses in their SaaS app is almost certainly describing a cosmetic security feature.
Every day of the week and four times and Tuesday I'd prefer the team that spends their marginal dollar on finding the next marginal reflected XSS bug than the one that wastes it on "two-way encryption of email addresses".
I don't know what Weebly does for appsec (I've never worked with them and probably never will), but if they've spent even $50 on external appsec testing, they're 1000% better than 90% of rest of the applications we all use every day.
In terms of appsec, we run quarterly black box pen tests and annual comprehensive white box pen tests with well regarded firms, and have been rotating vendors on a regular basis for diversity. We also do a lot of stuff internally, like regular scanning, and internal sprints focused on vuln detection. We've been doing this for years. That's not to say we're perfect (we clearly are not) but we do take it seriously.
Sace meta like country and city about the ip and then store the adress unrecoverable. Generally no big eeasons to have the actual ip stiored.