What are the institutional and regulatory implications of this document?

1) REGULATORY LANDSCAPE: This document engages GDPR (EEA, UK, and Switzerland users), CCPA and California Civil Code Section 1798.83 (California residents), and Nevada Chapter 603A (Nevada residents). The primary enforcement authorities are the relevant EU supervisory authorities and the UK Information Commissioner's Office for European users, and the California Attorney General and California Privacy Protection Agency for California residents. The document's acknowledgment that international t…

How does Supabase's Supabase Privacy Policy affect users?

The agreement establishes that Supabase collects account registration data, GitHub SSO credentials, device and usage information, communications content, and inputs and outputs from AI-powered support tools, and authorizes sharing this data with service providers, marketing partners, analytics providers, and third parties in connection with corporate transactions. Under these terms, end users of applications built on Supabase's platform are not covered by this privacy notice and are directed to…

How often is Supabase's Supabase Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Supabase updates this document?

Yes. Monitor subscribers ($19/month) can add Supabase to their watchlist and receive same-day email alerts whenever this document or any other Supabase document changes.

CA-D-000682

Supabase Privacy Policy

Supabase

Last change detected May 15, 2026 Privacy policy

SHA-256: 7df721dc6d9c35ddc3e… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Supabase ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

6 Medium severity

4 Low severity

Summary

This is Supabase's privacy policy covering how the company collects and uses personal information from developers and customers who use its open-source backend platform and website. The policy discloses that Supabase collects registration details (name, email, GitHub username), usage and device data, AI support tool inputs and outputs, and third-party data from business and marketing partners, and authorizes sharing this data with service providers, analytics providers, advertising partners, and acquirers in a corporate transaction. The policy separately states that data submitted by Supabase customers relating to their own end users (Customer Data) is processed under a distinct data processing addendum and is not covered by this notice, meaning end users of apps built on Supabase should consult the privacy policy of the application operator rather than this document.

Technical / Legal Breakdown

This privacy notice governs Supabase, Inc.'s collection, use, and disclosure of personal information in connection with its website (supabase.com) and associated developer services, operating under a dual controller/processor framework: Supabase acts as data controller for its own user data and as a data processor for Customer Data submitted through its platform, the latter governed by a separate data processing addendum. The policy states that Supabase collects registration information (name, email, GitHub username), payment transaction data routed through Stripe, communications content, SSO authentication data, usage and device data via cookies and analytics tools, and AI support tool inputs and outputs; it authorizes sharing with service providers, business partners, marketing partners, analytics providers, and in connection with corporate transactions including mergers and acquisitions. The document explicitly carves out Customer Data from the scope of this notice and directs affected individuals to the relevant customer's privacy policy, which is operationally significant for end users of applications built on Supabase who may not be aware their data is governed by a separate contractual chain. The policy engages GDPR (for EEA, UK, and Switzerland users), CCPA (for California residents), Nevada Chapter 603A, and general cross-border data transfer frameworks, with a dedicated EEA/UK/Switzerland section addressing lawful bases, data subject rights, and cookie governance; the document acknowledges that international transfers may involve countries without equivalent data protection standards, a disclosure that directly implicates GDPR Chapter V transfer requirements and UK adequacy frameworks.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: May 2026

May 15, 2026

medium

What changed Supabase updated its privacy policy on May 15, 2026 to disclose expanded use of business contact information for sales and marketing outreach, expanded sharing of personal information with the marketing service provider Customer.io, and clarified consent requirements for marketing communications including location-based and cross-source data analysis. The updated policy establishes that marketing-related consents are independent and can be managed separately.

Why this matters The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.

View full change record →

Medium — 6 provisions

AI Support Tool Inputs and Outputs as User Content Compare →

The policy states that inputs provided to Supabase's AI-powered support tools and the outputs generated in response are stored and collected as User Content as part of the Service. Users are described as having full control over what personal information they include in User Content.

Added May 21, 2026 Standard Seen across 284 platforms
Customer Data Processor Carve-Out Compare →

The policy states that personal data submitted through Supabase's platform by enterprise customers relating to their own end users is processed by Supabase as a data processor under a separate data processing addendum, and this privacy notice does not govern that processing.

Added May 9, 2026 Standard Seen across 284 platforms
International Data Transfers Compare →

The policy discloses that personal information may be transferred to and processed in countries, including the United States, that may not offer the same level of data protection as the user's country of origin.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Data Sharing Including Marketing and Business Partners Compare →

The policy authorizes Supabase to receive personal information from business partners, service providers, and marketing partners, and to combine this with internally collected data for service administration and marketing activities.

Added May 21, 2026 Standard Seen across 284 platforms
California Advertising and Tracking Preferences Compare →

The policy discloses that Supabase uses tracking tools for advertising campaign measurement and personalized ad delivery, and provides California residents with a Privacy Settings mechanism to manage these preferences under California Civil Code Section 1798.83.

Added May 21, 2026 Standard Seen across 284 platforms
EEA, UK, and Switzerland Specific Disclosures Compare →

The policy provides a dedicated section for EEA, UK, and Switzerland users covering lawful bases for processing, cookie governance, and data subject rights, incorporating GDPR and UK GDPR compliance requirements.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 4 provisions

Corporate Transaction Data Sharing Compare →

The policy authorizes disclosure of personal information to third parties in connection with corporate transactions such as mergers, acquisitions, asset sales, or similar events. This is a standard disclosure present in most commercial privacy policies.

Added May 21, 2026 Standard Seen across 284 platforms
Single Sign-On and Third-Party Authentication Data Compare →

The policy states that when users authenticate via GitHub SSO, Supabase receives name, username, email address, language preference, and profile picture from the SSO provider, and uses this data to operate and maintain the service.

Added May 21, 2026 Standard Seen across 284 platforms
Payment Processing via Stripe Compare →

The policy states that payment transactions are processed by Stripe and that Supabase does not retain credit card numbers or other personally identifiable financial information, which is instead governed by Stripe's own privacy notice.

Added May 21, 2026 Standard Seen across 284 platforms
Children's Privacy Compare →

The policy includes a children's privacy section, consistent with standard COPPA disclosure requirements, stating that the service is not directed to children under a specified age and that Supabase does not knowingly collect personal information from minors.

Added May 7, 2026 Standard Seen across 284 platforms