The policy provides a dedicated section for EEA, UK, and Switzerland users covering lawful bases for processing, cookie governance, and data subject rights, incorporating GDPR and UK GDPR compliance requirements.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that Supabase maintains a separate GDPR-aligned disclosure framework for European users, including lawful bases documentation and data subject rights procedures, which are operationally significant for enterprise customers and individual users exercising GDPR rights.
Interpretive note: The full content of the EEA/UK/Switzerland section was not available in the provided document excerpt; the assessment is based on the policy's table of contents reference and the introductory description of the section's scope.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, users in the EEA, UK, and Switzerland are directed to a dedicated section of the policy that sets out the lawful bases for processing their personal information and their rights under GDPR and equivalent frameworks. The agreement establishes that these users have specific rights in respect of their personal information.
How other platforms handle this
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"European Economic Area, United Kingdom or Switzerland: If you are located in the European Economic Area ("EEA"), United Kingdom or Switzerland, or otherwise engage with Supabase's European operations, please see the Privacy Disclosures for the European Economic Area, United Kingdom and Switzerland for additional European-specific privacy disclosures, including the lawful bases we rely on to process your personal information, how we use cookies when you access our Sites from the EEA, UK or Switzerland and your rights in respect of your personal information.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 6, 7, 13, 14, and 15-22 (lawful basis, consent, transparency, and data subject rights), UK GDPR, and the Swiss Federal Act on Data Protection. The relevant enforcement authorities are national EU supervisory authorities, the UK ICO, and the Swiss Federal Data Protection and Information Commissioner. 2) GOVERNANCE EXPOSURE: Medium. The existence of a dedicated EEA/UK section is standard for global platforms but requires ongoing maintenance to reflect changes in GDPR guidance, including SCCs, adequacy decisions, and enforcement guidance from supervisory authorities. 3) JURISDICTION FLAGS: EU/EEA, UK, and Switzerland users have the most extensive rights under this framework. Heightened exposure exists for any Supabase processing involving special category data or automated decision-making under GDPR Articles 9 and 22. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in the EEA or UK should confirm that their DPA with Supabase reflects the lawful bases disclosed in this section and that data subject rights request workflows are operationally supported. 5) COMPLIANCE CONSIDERATIONS: Legal teams should review the EEA/UK section for completeness of lawful basis documentation, cookie consent mechanisms, and data subject rights procedures. Annual reviews against updated GDPR guidance are advisable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that Supabase maintains a separate GDPR-aligned disclosure framework for European users, including lawful bases documentation and data subject rights procedures, which are operationally significant for enterprise customers and individual users exercising GDPR rights.
Under this clause, users in the EEA, UK, and Switzerland are directed to a dedicated section of the policy that sets out the lawful bases for processing their personal information and their rights under GDPR and equivalent frameworks. The agreement establishes that these users have specific rights in respect of their personal information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.