Your personal data may be moved to and stored in the United States or other countries, which may have weaker data protection laws than your home country.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does not specify which transfer mechanisms Supabase relies on.
Interpretive note: The document was truncated before the EEA-specific disclosures section, so it is unclear whether Supabase specifies transfer mechanisms (such as SCCs or DPF certification) in that section.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →If you are outside the United States, particularly in the EU or UK, your personal data may be transferred to the US where data protection standards differ from those in your home jurisdiction. The policy does not identify the specific transfer safeguards (such as Standard Contractual Clauses) in this section.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Note for International Visitors: Personal information may be transferred to, stored and processed in a country other than the one in which it was collected. For example, the Sites are primarily hosted in and provided from the United States. Please note the country to which personal data is transferred may not provide the same level of protection for personal information as the country from which it was transferred.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (restrictions on international transfers), the UK GDPR's equivalent transfer restrictions, and Swiss data protection law. Under GDPR, transfers to the US require an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another Article 46 mechanism. The EU-US Data Privacy Framework provides one adequacy basis for qualifying US organizations. Enforcement is by EU supervisory authorities and the UK ICO. GOVERNANCE EXPOSURE: Medium. The policy discloses that transfers occur and acknowledges the protection gap but does not specify the legal mechanism relied upon for GDPR-compliant transfers in this Notice (the EEA-specific disclosures section may provide additional detail, though the document was truncated). Failure to maintain adequate transfer mechanisms exposes Supabase and its enterprise customers to enforcement action. JURISDICTION FLAGS: EEA and UK users face the highest exposure. Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment (TIA) where US government access to data is a concern. Enterprise customers in the EU using Supabase to process their own users' data should verify the DPA includes appropriate SCCs and that a TIA has been conducted. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request from Supabase documentation of the specific transfer mechanisms relied upon (for example, EU SCCs under the 2021 European Commission standard clauses) and whether Supabase is certified under the EU-US Data Privacy Framework. These documents should be incorporated or referenced in the DPA. COMPLIANCE CONSIDERATIONS: Enterprise customers with EEA or UK data subjects should include Supabase in their Records of Processing Activities (ROPA) as a processor and document the transfer mechanism. Any change in Supabase's transfer mechanism or data hosting location should trigger a review of the enterprise's ROPA and DPA.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does not specify which transfer mechanisms Supabase relies on.
If you are outside the United States, particularly in the EU or UK, your personal data may be transferred to the US where data protection standards differ from those in your home jurisdiction. The policy does not identify the specific transfer safeguards (such as Standard Contractual Clauses) in this section.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.