The policy authorizes disclosure of personal information to third parties in connection with corporate transactions such as mergers, acquisitions, asset sales, or similar events. This is a standard disclosure present in most commercial privacy policies.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision permits personal information to transfer to successor entities in a corporate transaction, which may result in users' data being governed by a different entity's privacy practices following a transaction.
Interpretive note: The exact language of the corporate transaction clause was not available in the provided document excerpt; this provision is inferred from standard policy structure and partial document content.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, personal information collected by Supabase may be disclosed to acquiring or successor entities in the event of a merger, acquisition, or asset sale. The policy's terms governing such transfers apply as written at the time of any transaction.
How other platforms handle this
In the event of a merger, acquisition, reorganization, bankruptcy, or other similar event, your personal data may be transferred to a successor entity or third party as part of that transaction.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
1) REGULATORY LANDSCAPE: Corporate transaction data transfers engage GDPR Article 6 (lawful basis), and under CCPA, asset sales may constitute a sale of personal information requiring opt-out rights if the acquiring entity uses the data for different purposes. FTC guidance on corporate transactions and data assets may also apply. Enforcement authorities are EU supervisory authorities, the California Privacy Protection Agency, and the FTC. 2) GOVERNANCE EXPOSURE: Low to Medium. This is a standard clause but may require CCPA analysis if a transaction involves transfer of personal information to an entity that uses it for materially different purposes, which could trigger opt-out or notification obligations. 3) JURISDICTION FLAGS: California residents may have CCPA rights if a transaction constitutes a sale of personal information. EU/EEA users may require notification if data is transferred to a new controller with different purposes following a transaction. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether their DPA with Supabase addresses the assignment of processor obligations to successor entities and whether advance notice of corporate transactions is contractually required. 5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that any corporate transaction involving Supabase's data assets includes an assessment of applicable privacy law requirements, including CCPA opt-out analysis and GDPR controller change notifications where applicable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision permits personal information to transfer to successor entities in a corporate transaction, which may result in users' data being governed by a different entity's privacy practices following a transaction.
Under this clause, personal information collected by Supabase may be disclosed to acquiring or successor entities in the event of a merger, acquisition, or asset sale. The policy's terms governing such transfers apply as written at the time of any transaction.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.