Supabase's services are not intended for children, and the policy includes a children's privacy section. Specific age thresholds and restrictions are referenced but not fully reproduced in the available document text.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
A clear restriction on children's use is required under COPPA for US-based services and equivalent laws in the EU (GDPR) and UK (Children's Code), and its presence indicates Supabase has considered age-related compliance obligations.
Interpretive note: The document was truncated before the full children's privacy section could be reviewed, so the specific age threshold, enforcement mechanism, and scope of the restriction cannot be confirmed from the available text.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Supabase's services appear to be restricted to users above a minimum age (typically 13 under COPPA), meaning the platform should not be used by or on behalf of children without appropriate safeguards.
How other platforms handle this
The Service is intended for general audiences and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child under the age of 13 has provided us with personal information without your cons...
enableGpcSdk: true, gpcSetting: { privacyPolicyLink: '/Privacy-Security-Policy-a-282.html' }
We process Global Privacy Control signals as opt-out requests for the sale or sharing of personal information.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Children's privacy— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: Children's privacy provisions implicate COPPA (Children's Online Privacy Protection Act), which applies to online services directed at children under 13 or where the operator has actual knowledge of collecting data from children under 13, enforced by the FTC. GDPR Article 8 and UK GDPR set the age of digital consent at 16 (with member state flexibility down to 13). The UK ICO's Children's Code (Age Appropriate Design Code) applies to online services likely to be accessed by children. Relevant enforcement authorities include the FTC, EU supervisory authorities, and the UK ICO. GOVERNANCE EXPOSURE: Low to Medium. As a developer-focused B2B platform, Supabase is unlikely to be primarily accessed by children. However, where Supabase is used to build consumer-facing applications accessed by minors, the enterprise customer bears responsibility for COPPA compliance in relation to their own application, not Supabase under this Notice. JURISDICTION FLAGS: US operations require COPPA compliance if children under 13 are known to use the service. EU and UK operations require compliance with GDPR Article 8 and the UK Children's Code respectively. Enterprise customers building applications that may be accessed by minors should implement independent age verification or assurance mechanisms. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using Supabase to build applications for general audiences should assess whether their application could be accessed by minors and whether their own privacy notices and data handling practices comply with applicable children's privacy laws. COMPLIANCE CONSIDERATIONS: The document was truncated before the full children's privacy section text was available, so a complete analysis of the specific age threshold and safeguards described cannot be confirmed. Legal teams should review the full children's privacy section of the current policy to verify it meets COPPA, GDPR Article 8, and UK Children's Code requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
A clear restriction on children's use is required under COPPA for US-based services and equivalent laws in the EU (GDPR) and UK (Children's Code), and its presence indicates Supabase has considered age-related compliance obligations.
Supabase's services appear to be restricted to users above a minimum age (typically 13 under COPPA), meaning the platform should not be used by or on behalf of children without appropriate safeguards.
ConductAtlas has identified this type of provision across 9 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.