Supabase does not store your credit card or payment details itself. Payments go through Stripe, and Stripe's own privacy policy governs what happens to your financial information.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision is consumer-protective in that it confirms Supabase does not retain raw payment credentials, but it also means a portion of your financial data is governed by a third-party policy (Stripe's) that you should review separately.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Your payment card details are handled entirely by Stripe, not stored by Supabase. However, Stripe's separate privacy policy governs your financial data, and you should review it at stripe.com/privacy to understand how Stripe uses your information.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you make a purchase or payment on the Site, such as for a subscription, we collect transactional information provided in connection with your purchase or payment. Please note that we use third party payment processors, including Stripe, to process payments made to us. As such, we do not retain any personally identifiable financial information such as credit card numbers. Rather, all such information is provided directly by you to our third-party processor. The payment processor's use of your personal information is governed by their privacy notice. To view Stripe's privacy notice, please visit: https://stripe.com/privacy.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: The delegation of payment processing to Stripe implicates PCI DSS (Payment Card Industry Data Security Standard) compliance obligations, which Stripe as a certified processor manages. Supabase's statement that it does not retain card numbers is consistent with standard PCI DSS scope-reduction practices. The FTC and state attorneys general have jurisdiction over payment data security failures. CCPA applies to transactional information collected in connection with purchases. GOVERNANCE EXPOSURE: Low. The use of a third-party processor like Stripe to handle raw payment credentials is standard industry practice and represents appropriate risk allocation. The key governance question is whether the commercial agreement with Stripe includes appropriate data processing terms, sub-processor notifications under GDPR if applicable, and incident response obligations. JURISDICTION FLAGS: EEA and UK users should confirm that Stripe's data processing arrangements with Supabase include appropriate GDPR transfer mechanisms for any data processed outside the EEA. California users should note that transactional data is collected and may be subject to CCPA rights. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should confirm that Supabase's agreement with Stripe includes a data processing agreement meeting GDPR Article 28 requirements where applicable, and that Stripe is listed as a sub-processor in the Supabase DPA shared with enterprise customers. COMPLIANCE CONSIDERATIONS: Legal teams should verify that Stripe's role is disclosed as a sub-processor in Supabase's DPA, and that enterprise customers receive adequate notice of sub-processor changes as required by GDPR. No specific action is needed regarding card data retention given Supabase's stated practice of not retaining payment credentials.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision is consumer-protective in that it confirms Supabase does not retain raw payment credentials, but it also means a portion of your financial data is governed by a third-party policy (Stripe's) that you should review separately.
Your payment card details are handled entirely by Stripe, not stored by Supabase. However, Stripe's separate privacy policy governs your financial data, and you should review it at stripe.com/privacy to understand how Stripe uses your information.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.