The policy states that inputs provided to Supabase's AI-powered support tools and the outputs generated in response are stored and collected as User Content as part of the Service. Users are described as having full control over what personal information they include in User Content.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that AI support tool interaction data, including both user prompts and system-generated responses, is retained as part of the Service's data collection. This creates a data category that may require separate assessment under GDPR, CCPA, and emerging AI governance frameworks, particularly if users inadvertently include sensitive personal information in prompts.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, any information submitted to Supabase's AI-powered support tools is stored and treated as User Content subject to the policy's broader data retention and sharing terms. The agreement states that users have full control over what personal information they choose to include in User Content.
How other platforms handle this
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"After registration, you may create, upload or transmit files, documents, videos, images, data or information as part of your use of the Service (collectively, "User Content"). This includes any inputs you provide to our AI-powered support tools and outputs generated in response to your inputs. User Content and any information contained in the User Content, including personal information you may have included, is stored and collected as part of the Service. You have full control of the information included in the User Content.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 5 (data minimization and purpose limitation) and Article 9 (special category data) where users may inadvertently submit sensitive information via AI prompts. Under CCPA, AI interaction data constitutes personal information subject to disclosure, access, and deletion rights. The EU AI Act may also apply depending on how the AI support tool is classified. Enforcement authorities include EU supervisory authorities, the UK ICO, and the California Privacy Protection Agency. 2) GOVERNANCE EXPOSURE: Medium. The storage of AI tool inputs and outputs as User Content extends the data retention footprint without specifying a distinct retention period for this category. If sensitive data is submitted through AI prompts, this could create heightened obligations under GDPR Article 9 and equivalent state law frameworks. 3) JURISDICTION FLAGS: EU/EEA and UK users have data subject rights (access, erasure, portability) that may apply to AI-generated User Content. California residents have CCPA rights to know, delete, and correct. Illinois BIPA may be relevant if biometric data is inadvertently processed. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Supabase's AI support tools should assess whether their use of those tools may result in transmission of their own customers' personal data to Supabase, which would engage the DPA and sub-processor obligations. This may also trigger data mapping updates and vendor risk assessments. 5) COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether existing data subject rights workflows address requests relating to AI tool interaction records, and whether organizational policies prohibit employees from entering sensitive or confidential data into AI support tools. Data mapping documentation should include AI interaction data as a distinct category.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that AI support tool interaction data, including both user prompts and system-generated responses, is retained as part of the Service's data collection. This creates a data category that may require separate assessment under GDPR, CCPA, and emerging AI governance frameworks, particularly if users inadvertently include sensitive personal information in prompts.
Under this clause, any information submitted to Supabase's AI-powered support tools is stored and treated as User Content subject to the policy's broader data retention and sharing terms. The agreement states that users have full control over what personal information they choose to include in User Content.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.