The policy states that personal data submitted through Supabase's platform by enterprise customers relating to their own end users is processed by Supabase as a data processor under a separate data processing addendum, and this privacy notice does not govern that processing.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that end users of applications built on Supabase are not covered by this privacy notice, placing the primary disclosure obligation on the Supabase customer (the application operator) rather than Supabase itself. This has direct implications for enterprise customers who must maintain their own adequate privacy disclosures and ensure their DPA with Supabase is GDPR Article 28 compliant.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, individuals whose personal data is processed through applications built on Supabase are directed to consult the privacy notice of the application operator rather than Supabase's own policy. The agreement establishes that Supabase's obligations for such data are governed by a separate data processing addendum with the relevant enterprise customer.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with our data processing addendum. This Privacy Notice does not apply to such processing; if you believe your personal information has been included in any Customer Data, we recommend you read the Privacy Notice of the respective customer.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Article 28 (processor obligations), which requires a written contract between controller and processor specifying the nature and purpose of processing. The referenced data processing addendum is the operative document for GDPR compliance in this context. The UK GDPR imposes equivalent requirements. For California customers, CCPA requires service provider contracts to include specific restriction clauses. Enforcement authorities are EU supervisory authorities, the UK ICO, and the California Privacy Protection Agency. 2) GOVERNANCE EXPOSURE: High for enterprise customers. The carve-out places full controller-side disclosure and compliance obligations on Supabase customers who deploy the platform to serve their own end users. Any gap in those customers' privacy notices or DPA terms creates compliance exposure at the customer level. 3) JURISDICTION FLAGS: EU/EEA and UK deployments require GDPR Article 28-compliant DPAs between Supabase and each enterprise customer. California-based customers must ensure the DPA includes CCPA service provider restrictions. Sub-processor chains involving international transfers require separate transfer mechanism documentation. 4) CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams at organizations using Supabase should confirm that the referenced data processing addendum has been executed and reviewed for GDPR Article 28 and CCPA service provider compliance. They should also assess whether Supabase's sub-processor list is disclosed and whether advance notice of sub-processor changes is contractually provided. 5) COMPLIANCE CONSIDERATIONS: Enterprise customers should update their own privacy notices to disclose Supabase's role as a sub-processor. Data mapping documentation should reflect the controller/processor relationship and the scope of data categories processed. Periodic audits of the DPA and sub-processor list are advisable given the operational significance of the platform.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that end users of applications built on Supabase are not covered by this privacy notice, placing the primary disclosure obligation on the Supabase customer (the application operator) rather than Supabase itself. This has direct implications for enterprise customers who must maintain their own adequate privacy disclosures and ensure their DPA with Supabase is GDPR Article 28 compliant.
Under this clause, individuals whose personal data is processed through applications built on Supabase are directed to consult the privacy notice of the application operator rather than Supabase's own policy. The agreement establishes that Supabase's obligations for such data are governed by a separate data processing addendum with the relevant enterprise customer.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.