Supabase updated its privacy policy on May 15, 2026 to disclose expanded use of business contact information for sales and marketing outreach, expanded sharing of personal information with the marketing service provider Customer.io, and clarified consent requirements for marketing communications including location-based and cross-source data analysis. The updated policy establishes that marketing-related consents are independent and can be managed separately.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
The updated policy establishes explicit disclosure of a specific marketing vendor (Customer.io) and clarifies the consent framework for marketing uses of personal information, including location-based and cross-source data analysis. This provides greater specificity about third parties receiving data and establishes granular controls over marketing-related uses, which affects how users and downstream organizations must document vendor relationships and consent mechanisms.
→ Review and manage your marketing communication preferences in your Supabase account settings to control consent for marketing messages, location-based determination, and cross-source data analysis independently.
→ Marketing communications will be sent and personal information will be shared with Customer.io according to the updated terms.
→ Location-based determination of marketing relevance and cross-source data combination for marketing purposes will proceed as described in the policy unless consent is withdrawn.
Policy discloses use of email domains and business contact information to identify organizations for sales and marketing outreach.
Policy explicitly names Customer.io as a service provider that receives personal information for marketing communications.
Policy establishes three independent marketing consents that can be granted or withdrawn separately without affecting each other.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
You can now control three different marketing uses of your data independently rather than as a single consent.
Supabase now explicitly discloses it will use your business contact information to contact your organization for sales purposes.
+ 1 more obligation changes. Full breakdown available with Monitor.
Track changes →Supabase disclosed expanded marketing practices and clarified consent requirements for marketing-related personal information use. The policy now explicitly names Customer.io as a service provider receiving personal data. The change appears designed to provide clearer notice of marketing data practices and establish granular consent control. Organizations that incorporate Supabase into their vendor stack should review whether this expanded disclosure affects their own privacy notices, particularly for customers whose personal information may be used in cross-source marketing analysis. The change does not appear to create new GDPR/CCPA obligations beyond existing transparency and consent requirements, but clarifies the scope of disclosed practices.
GDPR (articles 6, 13, 21 on lawful basis, transparency, and objection rights); CCPA (sections 1798.100-1798.120 on disclosure and consumer rights); state privacy laws with marketing communication opt-out requirements
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002132.
The severity level increased from 'low' to 'medium', elevating the importance of this provision regarding user content and AI tool data handling.
9 provisions unchanged.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorSupabase updated its legal entity from a Delaware corporation to a Singapore-based company and refined several procedural details in its …
Supabase changed its corporate structure from a Singapore entity (SUPABASE PTE. LTD.) to a Delaware corporation (Supabase, Inc.) on May …
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and lia…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.