If you are an end user of an app built on Supabase, your data is not covered by Supabase's own privacy policy. Instead, you need to look at the privacy policy of whichever company built that application.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision creates a direct transparency gap for potentially millions of end users who interact with applications built on Supabase but have no direct relationship with Supabase and may not know to look elsewhere for privacy disclosures.
If your personal data (such as your account information or usage data within a third-party app) is stored in a Supabase-powered database, Supabase's privacy protections described in this Notice do not apply to you directly. You would need to consult the privacy policy of the specific application you are using.
How other platforms handle this
AWS processes Customer Content you submit to Amazon Bedrock in accordance with the AWS Customer Agreement and applicable data protection terms. AWS does not use Customer Content processed by Amazon Bedrock to train Amazon's foundation models without your consent.
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
We may de-identify, anonymize, or aggregate information we collect so the information cannot reasonably identify you or your device, or we may collect information that is already in de-identified form. For example, we may disclose performance benchmark data and other aggregated, anonymized, or de-id...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Customer Data on behalf of and under the instructions of the relevant customer, in accordance with our data processing addendum. This Privacy Notice does not apply to such processing; if you believe your personal information has been included in any Customer Data, we recommend you read the Privacy Notice of the respective customer.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8), which define data controller and processor roles, and Article 28, which requires a binding contract between controller and processor. Under GDPR, the enterprise customer is the data controller and bears primary accountability to data subjects. CCPA similarly distinguishes between businesses and service providers, and the carve-out is consistent with Supabase positioning itself as a service provider under CCPA. The relevant enforcement authorities are EU supervisory authorities (for EEA data), the UK ICO (for UK data), and state attorneys general and the FTC for US-based concerns. GOVERNANCE EXPOSURE: Medium. The carve-out is legally standard for B2B infrastructure providers and mirrors common SaaS processor structures. However, it creates meaningful exposure for enterprise customers who may underestimate their own controller obligations toward their end users. If an enterprise customer fails to maintain an adequate privacy notice covering Supabase-processed data, that customer faces regulatory exposure, not Supabase directly. JURISDICTION FLAGS: EU and UK enterprise customers face the highest exposure, as GDPR imposes detailed controller obligations including transparency requirements under Article 13 and 14. California enterprise customers should evaluate whether their privacy disclosures to end users adequately describe Supabase as a service provider and whether any data shared with Supabase could constitute a "sale" under CCPA. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers procuring Supabase must execute the separately referenced Data Processing Addendum. Procurement teams should verify the DPA includes all required GDPR Article 28 clauses, specifies sub-processor obligations, and includes appropriate data subject rights support provisions. The DPA governs the processor relationship, and gaps in that document create compliance risk that this Notice does not resolve. COMPLIANCE CONSIDERATIONS: Enterprise legal and compliance teams should audit their own end-user-facing privacy notices to confirm Supabase is disclosed as a data processor and that end users are informed of the categories of data processed and purposes. Organizations in regulated sectors (healthcare, education, financial services) should conduct a data mapping exercise to determine whether regulated data categories flow through Supabase and whether the DPA and applicable sector regulations (HIPAA, FERPA, GLBA) are satisfied.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision creates a direct transparency gap for potentially millions of end users who interact with applications built on Supabase but have no direct relationship with Supabase and may not know to look elsewhere for privacy disclosures.
If your personal data (such as your account information or usage data within a third-party app) is stored in a Supabase-powered database, Supabase's privacy protections described in this Notice do not apply to you directly. You would need to consult the privacy policy of the specific application you are using.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.