This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision clarifies the operational data governance structure by specifying that Supabase functions as a data processor for Customer Data rather than as a data controller. This allocation of responsibility means that the customer using Supabase's platform—not Supabase itself—bears primary responsibility for data protection obligations and privacy disclosures related to that Customer Data, with Supabase's obligations defined in a separate data processing addendum.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Individuals whose personal information is included in Customer Data are informed that Supabase's main Privacy Notice does not govern how their data is handled in that context, and they are directed to review the privacy notice of the organization that submitted their data to Supabase. The terms establish that Supabase's data handling practices for Customer Data are governed by contractual instructions from the customer and a separate data processing addendum rather than by this Privacy Notice.
How other platforms handle this
If you are in the 'Designated Countries', LinkedIn Ireland Unlimited Company ('LinkedIn Ireland') will be the controller of your personal data provided to, or collected by or for, or processed in connection with our Services. If you are outside of the Designated Countries, LinkedIn Corporation will ...
Crusoe (Sees code data for inference): We manage Crusoe's compute for training some of our custom models, as well as hosting some of our custom models. Modal (Sees code data for inference): We manage Modal's compute for training some of our custom models, as well as hosting some of our custom models...
We use information about you to provide, improve, and develop our products and services, personalize your experience, show you relevant content and ads, and communicate with you. We draw inferences about your interests and preferences based on your activity on Pinterest and elsewhere.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with our data processing addendum. This Privacy Notice does not apply to such processing; if you believe your personal information has been included in any Customer Data, we recommend you read the Privacy Notice of the respective customer.— Excerpt from Supabase's Supabase Privacy Policy
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision clarifies the operational data governance structure by specifying that Supabase functions as a data processor for Customer Data rather than as a data controller. This allocation of responsibility means that the customer using Supabase's platform—not Supabase itself—bears primary responsibility for data protection obligations and privacy disclosures related to that Customer Data, with Supabase's obligations defined in a separate …
Individuals whose personal information is included in Customer Data are informed that Supabase's main Privacy Notice does not govern how their data is handled in that context, and they are directed to review the privacy notice of the organization that submitted their data to Supabase. The terms establish that Supabase's data handling practices for Customer Data are governed by contractual …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.