The policy discloses that personal information may be transferred to and processed in countries, including the United States, that may not offer the same level of data protection as the user's country of origin.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision acknowledges that cross-border data transfers may involve jurisdictions with lower data protection standards, a disclosure that directly implicates GDPR Chapter V transfer requirements and UK adequacy framework obligations. The policy does not specify in this section what transfer mechanisms (such as Standard Contractual Clauses) are used, though the EEA/UK section may address this.
Interpretive note: The specific transfer mechanisms relied upon for EU/UK/Swiss data are not disclosed in the main policy body; compliance assessment depends on the EEA/UK section and the referenced DPA.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, personal information collected from users in the EU, UK, Switzerland, or other jurisdictions may be transferred to and stored in the United States or other countries. The agreement states that transferred data may be subject to lower protection standards in the destination country.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction.
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Personal information may be transferred to, stored and processed in a country other than the one in which it was collected. For example, the Sites are primarily hosted in and provided from the United States. Please note the country to which personal data is transferred may not provide the same level of protection for personal information as the country from which it was transferred.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (transfers to third countries), UK GDPR international transfer requirements, and Swiss data protection law. The adequacy decision framework, Standard Contractual Clauses (SCCs), and the UK International Data Transfer Agreement (IDTA) are the primary compliance mechanisms. The EU-US Data Privacy Framework may provide an adequacy basis for US transfers where Supabase is a certified participant. Enforcement authorities are EU supervisory authorities and the UK ICO. 2) GOVERNANCE EXPOSURE: Medium. The main policy body does not specify which transfer mechanisms are relied upon, though the EEA/UK/Switzerland-specific section may contain this detail. Absence of explicit SCC or adequacy disclosure in the main policy could create compliance gaps for enterprise customers relying on Supabase for EU data processing. 3) JURISDICTION FLAGS: EU/EEA users are protected by GDPR Chapter V, which requires specific transfer mechanisms for data sent outside the EEA. UK users require IDTA or SCCs for transfers to non-adequate countries. Swiss users require equivalent protections under the revised Federal Act on Data Protection. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm with Supabase whether SCCs, the EU-US Data Privacy Framework, or other mechanisms are in place for US transfers, and whether these are incorporated into the DPA. Transfer impact assessments may be required for high-risk data categories. 5) COMPLIANCE CONSIDERATIONS: Legal teams should review the EEA/UK section of this policy for transfer mechanism disclosures and request confirmation from Supabase of the specific mechanisms relied upon. Data mapping should identify all data flows to the US or other non-adequate countries and document the applicable transfer basis.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision acknowledges that cross-border data transfers may involve jurisdictions with lower data protection standards, a disclosure that directly implicates GDPR Chapter V transfer requirements and UK adequacy framework obligations. The policy does not specify in this section what transfer mechanisms (such as Standard Contractual Clauses) are used, though the EEA/UK section may address this.
Under this clause, personal information collected from users in the EU, UK, Switzerland, or other jurisdictions may be transferred to and stored in the United States or other countries. The agreement states that transferred data may be subject to lower protection standards in the destination country.
ConductAtlas has identified this type of provision across 55 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.