The policy states that payment transactions are processed by Stripe and that Supabase does not retain credit card numbers or other personally identifiable financial information, which is instead governed by Stripe's own privacy notice.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that Supabase's data handling obligations for payment information are limited to transactional data, with credit card and financial credential data handled exclusively by Stripe under Stripe's separate privacy notice.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, users making payments on the Supabase platform provide financial credentials directly to Stripe rather than Supabase. Supabase states it retains only transactional information, not credit card numbers or equivalent financial identifiers.
How other platforms handle this
If you are in the European Economic Area (EEA), we only process your personal data when we have a valid legal basis to do so, including when: (a) you have consented to the processing; (b) the processing is necessary to perform a contract with you; (c) we have a legitimate interest in processing your...
We process the information you share with us when you create your profile or send messages. This includes photos, videos, messages, and other content you share on the platform. We may use this content to improve our services, ensure safety, and comply with legal obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you make a purchase or payment on the Site, such as for a subscription, we collect transactional information provided in connection with your purchase or payment. Please note that we use third party payment processors, including Stripe, to process payments made to us. As such, we do not retain any personally identifiable financial information such as credit card numbers. Rather, all such information is provided directly by you to our third-party processor. The payment processor's use of your personal information is governed by their privacy notice. To view Stripe's privacy notice, please visit: https://stripe.com/privacy.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: Payment processing arrangements engage PCI DSS standards (Stripe's responsibility as payment processor), and CCPA/GDPR disclosure requirements for categories of financial data processed. The CFPB has jurisdiction over financial data practices where applicable. The policy's disclosure that Stripe governs payment data is consistent with standard PCI DSS compliant architectures. 2) GOVERNANCE EXPOSURE: Low. The policy clearly limits Supabase's data retention to transactional metadata and directs financial credential governance to Stripe. Standard commercial practice. 3) JURISDICTION FLAGS: No heightened jurisdiction-specific exposure beyond standard payment data disclosure requirements. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should note that Stripe operates as an independent data controller for payment credentials. Vendor assessments should include Stripe's DPA and privacy notice review where required by organizational procurement policy. 5) COMPLIANCE CONSIDERATIONS: No significant compliance gaps identified. Legal teams should confirm that transactional data retained by Supabase (as distinct from payment credentials) is included in data mapping and retention schedules.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that Supabase's data handling obligations for payment information are limited to transactional data, with credit card and financial credential data handled exclusively by Stripe under Stripe's separate privacy notice.
Under this clause, users making payments on the Supabase platform provide financial credentials directly to Stripe rather than Supabase. Supabase states it retains only transactional information, not credit card numbers or equivalent financial identifiers.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.