The policy states that when users authenticate via GitHub SSO, Supabase receives name, username, email address, language preference, and profile picture from the SSO provider, and uses this data to operate and maintain the service.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the data categories obtained through GitHub SSO authentication and the basis on which Supabase accesses third-party identity data. The scope of data received is determined by the authorization procedures of the SSO provider, not solely by Supabase.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, users who authenticate via GitHub SSO authorize Supabase to receive name, username, email address, language preference, and profile picture from GitHub. The agreement states this information is used to operate and maintain the service.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We use single sign-on ("SSO") such as GitHub to allow a user to authenticate their account using one set of login information. We will have access to certain information from those third parties in accordance with the authorization procedures determined by those third parties, including, for example, your name, username, email address, language preference, and profile picture. We use this information to operate, maintain, and provide to you the features and— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: SSO data collection engages GDPR Article 6 (lawful basis, likely legitimate interest or contract performance) and CCPA disclosure requirements for categories of data collected. The data categories received via SSO must be included in the privacy notice's enumeration of data sources. Enforcement authorities are EU supervisory authorities and the California Privacy Protection Agency. 2) GOVERNANCE EXPOSURE: Low. SSO data collection is standard practice; the policy discloses the categories received. Risk is limited to whether the scope of SSO data is proportionate to the service purpose under GDPR data minimization principles. 3) JURISDICTION FLAGS: EU/EEA users should note that SSO data flows from GitHub to Supabase may involve cross-border transfers if either party is outside the EEA. GDPR transfer mechanisms should apply to any such flow. 4) CONTRACT AND VENDOR IMPLICATIONS: No unusual vendor implications. The policy correctly directs users to the SSO provider's privacy notice for the provider's own data practices. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that the categories of data received via GitHub SSO are accurately reflected in data mapping documentation and that the lawful basis for processing SSO-derived data is documented.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the data categories obtained through GitHub SSO authentication and the basis on which Supabase accesses third-party identity data. The scope of data received is determined by the authorization procedures of the SSO provider, not solely by Supabase.
Under this clause, users who authenticate via GitHub SSO authorize Supabase to receive name, username, email address, language preference, and profile picture from GitHub. The agreement states this information is used to operate and maintain the service.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.