What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy expressly engages GDPR (applicable to EEA, UK, and Switzerland users), the UK GDPR post-Brexit, CCPA (California Civil Code Section 1798.83 and related provisions), and Nevada Chapter 603A. Supabase identifies contractual necessity, legitimate interests, and consent as its GDPR lawful bases. The FTC has jurisdiction over general consumer privacy and data practices in the US. The policy's processor/controller split for Customer Data implicates GDPR Articles 28 a…

How does Supabase's Supabase Privacy Policy affect users?

Supabase collects a range of personal data including account registration details, usage behavior, device information, and cookie-based tracking data, and may share this with business partners and marketing vendors for advertising purposes. End users of applications built on Supabase are not covered by this policy at all and are directed to seek privacy information from the specific customer whose application they use, which may reduce transparency for those individuals. You can exercise data r…

How often is Supabase's Supabase Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Supabase updates this document?

Yes. Watcher subscribers ($9.99/month) can add Supabase to their watchlist and receive same-day email alerts whenever this document or any other Supabase document changes.

CA-D-000682

Supabase Privacy Policy

Supabase

Last change detected May 5, 2026 Privacy policy

SHA-256: 2cff08d82b7b8221c20… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Supabase ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

6 Medium severity

4 Low severity

Summary

This is Supabase's privacy policy explaining how the company collects and uses your personal information when you visit its website or use its developer platform. The most important thing to know is that Supabase collects your name, email address, GitHub username, and usage data, and may share it with third-party service providers and marketing partners, including for targeted advertising tracked via cookies. If you are in the EU, UK, or California, you have specific rights including access, deletion, and the ability to opt out of certain data uses, which you can exercise by contacting privacy@supabase.com.

Technical / Legal Breakdown

This Privacy Notice governs Supabase, Inc.'s collection, use, and disclosure of personal information in connection with its website (supabase.com) and associated developer services, operating as data controller for visitor and customer account data while acting as data processor for Customer Data submitted through the platform under a separate Data Processing Addendum. The policy states that Supabase collects registration data (name, email, GitHub username), payment transaction data (routed through Stripe), communications, usage and device data, and tracking information via cookies and third-party analytics tools; the terms authorize sharing with service providers, business partners, marketing partners, and in connection with corporate transactions such as mergers or acquisitions. Notably, the policy explicitly carves out Customer Data (end-user data processed on behalf of enterprise customers) from this Notice's scope and directs affected individuals to the respective customer's privacy notice, which is operationally distinct and may create transparency gaps for end users of applications built on Supabase. The policy expressly engages GDPR (for EEA, UK, and Switzerland users), CCPA (for California residents), and references Nevada's Chapter 603A; Supabase relies on contractual necessity, legitimate interests, and consent as lawful bases under GDPR, and the DPA governs processor-side obligations separately.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 6 provisions

Customer Data Processor Carve-Out Compare →

If you are an end user of an app built on Supabase, your data is not covered by Supabase's own privacy policy. Instead, you need to look at the privacy policy of whichever company built that application.

Added May 9, 2026 Standard Seen across 189 platforms
Third-Party Data Sharing and Marketing Partners Compare →

Supabase may receive personal data about you from external marketing and business partners and combine it with what it already has, then use the combined profile to administer services and run marketing activities.

Added May 9, 2026 Standard Seen across 246 platforms
Cookie and Tracking Technology Use for Advertising Compare →

Supabase uses tracking tools including cookies to measure ad performance and deliver personalized advertisements, and California residents can manage their tracking preferences through the Privacy Settings on the site.

Added May 9, 2026 Standard Seen across 251 platforms
International Data Transfer Disclosure Compare →

Your personal data may be moved to and stored in the United States or other countries, which may have weaker data protection laws than your home country.

Added May 9, 2026 Standard Seen across 246 platforms
User Content and AI-Powered Tool Inputs Compare →

Anything you upload or type into Supabase, including prompts you send to Supabase's AI support tools, is stored as part of the service. Supabase says you control what personal information you choose to include.

Added May 9, 2026 Standard Seen across 198 platforms
Data Retention and Security Compare →

Supabase has a section addressing how long it keeps your data and what security measures it applies, though the specific retention periods and security standards are not reproduced in the available document text.

Added May 7, 2026 Standard Seen across 223 platforms

Low — 4 provisions

Payment Processing and Stripe Data Handling Compare →

Supabase does not store your credit card or payment details itself. Payments go through Stripe, and Stripe's own privacy policy governs what happens to your financial information.

Added May 9, 2026 Common Seen across 150 platforms
Children's Privacy Restriction Compare →

Supabase's services are not intended for children, and the policy includes a children's privacy section. Specific age thresholds and restrictions are referenced but not fully reproduced in the available document text.

Added May 9, 2026 Standard Seen across 262 platforms
Single Sign-On (SSO) Third-Party Data Access

When you sign in to Supabase using GitHub or another SSO provider, Supabase receives certain profile details from that provider, such as your name, username, email, and profile picture, and uses them to operate your account and send you service messages.

Added May 9, 2026 Rare
Nevada Data Sale Opt-Out Disclosure Compare →

Supabase states that it does not sell your personal information under Nevada law, but Nevada residents can still contact Supabase to submit a formal opt-out request if they wish.

Added May 9, 2026 Standard Seen across 262 platforms