AFAIK the fact whether IP addresses and user agents are considered personal information is still up to debate.
Nevertheless it is not much work to add that so I probably will. I've already done that kind of policy to my app: "I keep nothing because I don't collect anything"
IP addresses combined with time stamps are personal information if there's only one person using that IP address at that moment in time. If you don't want to personally verify that the IP address was used by more than one person at the given time, you should consider it personal information.
What is apparently unintuitive to some people (especially programmers) about the GDPR definition of "personal information" is that it's not a clear cut list but highly contextual: if it can be used to unambiguously identify a single individual by someone, then to that someone it is personal information and they need to treat it as such.
Absurd example: if someone called "John Smith" writes their name on a piece of paper and you find it ten years later, it's probably not personal information as you have no way to determine who that name refers to or even whether it refers to anyone at all.
Absurd counter-example: any given number can be personal information when used to identify specific individuals in the real world (e.g. numeric user IDs), so slipping your coworker a piece of paper with the number "12345" on it can be personal information if both of you know who it refers to (or can look it up).
It is personal information but is it personally identifiable?
For example in order to anonymize medical data you have to ensure that parties who do have access can not go from data to the person. This usually means that the database with data only has some identifiers and another database has the correspondence of identifier -> personal information.
Back to the IP address topic, it is true that an IP address plus a timestamp is enough to identify a specific computer. However, as a site owner I have no realistic mean to go from here to knowing who the person is. For example if somebody asked me to remove their data, they would have to tell me which IP they had when. (this is actually an interesting legal/technical question, should apache logs be purgeable?)
This being said to me it seems fair to specify that these logs are created and kept. It would be nice to have a boilerplate paragraph to paste to sites that only keep the apache logs.
I'm using the two phrases synonymously because the GDPR protects personal information, which is the superset (the distinction of PII as a subset seems to be more relevant in the US).
The GDPR is concerned with privacy. If you derive information from my personal information in a way that makes it impossible to go back from the derived information to identifying me as an individual, it's anonymous and thus not relevant to my privacy. However if you use this exact same process but only use it once and record that you only did it with my information, it becomes linked to me again and can no longer be considered anonymous.
For another example: imagine you have a closed group of 1000 participants. "One of the guys with blonde hair" is probably a fairly ambiguous identifier because you'd expect there to be more than one person in the group that description could apply to. However if I'm the only blonde guy in that group, it's now clearly referring to me as an individual and thus affecting my privacy.
The thing about storing IP plus timestamp on the other hand is that while it may be practically anonymous to you, you're storing it. Even though you can't resolve that information to a single person right now, someone else could if you gave them access to it.
You can make an argument about where exactly the line should be drawn considering it's rarely impossible that someone somewhere could use seemingly innocuous data to identify someone but it's not much of a leap to go from an IP address and a time stamp to a subscriber who might be a single individual: IPs are publicly registered to ISPs and those ISPs know who they assigned the IP to at a given point in time (especially in countries like Germany where ISPs are required to keep records of this) so you can already easily convert "IP plus timestamp" to "IP plus timestamp plus an organisation that is capable of resolving that IP plus timestamp to a subscriber". In other words: at best an IP plus timestamp isn't anonymous, it's at least pseudonymous (even if you have no legal means of resolving that pseudonym).
FWIW there are free privacy policy generators out there for small scale websites (e.g. most blogs). Here's a good one for Germany: https://datenschutz-generator.de/
EDIT: For programmers:
You have a set (IP, timestamp).
IPs are publicly registered to ISPs so you can resolve that to an ISP, which can act as a function (IP, timestamp) => subscriber.
A subscriber can be, among other things, a single individual.
So storing the IP and timestamp is the equivalent of storing an identifier from a lookup table of subscribers (some of whom are single individuals).
Whether the result of the lookup table is accessible by legal means (e.g. a warrant) or technical means (e.g. a decryption key) or practical means (e.g. a literal key to a safe) makes no difference.
Nevertheless it is not much work to add that so I probably will. I've already done that kind of policy to my app: "I keep nothing because I don't collect anything"