Your personal data may be moved to and stored in the United States or other countries, which may have weaker data protection laws than your home country.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does not specify which transfer mechanisms Supabase relies on.
Interpretive note: The document was truncated before the EEA-specific disclosures section, so it is unclear whether Supabase specifies transfer mechanisms (such as SCCs or DPF certification) in that section.
If you are outside the United States, particularly in the EU or UK, your personal data may be transferred to the US where data protection standards differ from those in your home jurisdiction. The policy does not identify the specific transfer safeguards (such as Standard Contractual Clauses) in this section.
How other platforms handle this
Where required by law, we provide adequate protection for the transfer of personal data in accordance with applicable law, such as by obtaining your consent, relying on the European Commission's adequacy decisions, or executing Standard Contractual Clauses. Where relevant, you may request a copy of ...
We may access, preserve, and share information with regulators, law enforcement, or others if we believe it is reasonably necessary to: detect, prevent, and address fraud and other illegal activity; protect ourselves, you, and others, including as part of investigations; and prevent death or imminen...
Customer authorized Mistral AI to transfer Personal Data to any country deemed to have an adequate level of data protection by the European Commission. Customer also authorizes Mistral AI to perform International Data Transfers to (a) on the basis of adequate safeguards in accordance with Applicable...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Note for International Visitors: Personal information may be transferred to, stored and processed in a country other than the one in which it was collected. For example, the Sites are primarily hosted in and provided from the United States. Please note the country to which personal data is transferred may not provide the same level of protection for personal information as the country from which it was transferred.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V (restrictions on international transfers), the UK GDPR's equivalent transfer restrictions, and Swiss data protection law. Under GDPR, transfers to the US require an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another Article 46 mechanism. The EU-US Data Privacy Framework provides one adequacy basis for qualifying US organizations. Enforcement is by EU supervisory authorities and the UK ICO. GOVERNANCE EXPOSURE: Medium. The policy discloses that transfers occur and acknowledges the protection gap but does not specify the legal mechanism relied upon for GDPR-compliant transfers in this Notice (the EEA-specific disclosures section may provide additional detail, though the document was truncated). Failure to maintain adequate transfer mechanisms exposes Supabase and its enterprise customers to enforcement action. JURISDICTION FLAGS: EEA and UK users face the highest exposure. Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment (TIA) where US government access to data is a concern. Enterprise customers in the EU using Supabase to process their own users' data should verify the DPA includes appropriate SCCs and that a TIA has been conducted. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams should request from Supabase documentation of the specific transfer mechanisms relied upon (for example, EU SCCs under the 2021 European Commission standard clauses) and whether Supabase is certified under the EU-US Data Privacy Framework. These documents should be incorporated or referenced in the DPA. COMPLIANCE CONSIDERATIONS: Enterprise customers with EEA or UK data subjects should include Supabase in their Records of Processing Activities (ROPA) as a processor and document the transfer mechanism. Any change in Supabase's transfer mechanism or data hosting location should trigger a review of the enterprise's ROPA and DPA.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For users in the EU, UK, and other jurisdictions with strong data protection laws, international transfers require specific legal safeguards; this provision acknowledges the transfer risk but does not specify which transfer mechanisms Supabase relies on.
If you are outside the United States, particularly in the EU or UK, your personal data may be transferred to the US where data protection standards differ from those in your home jurisdiction. The policy does not identify the specific transfer safeguards (such as Standard Contractual Clauses) in this section.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.