When you sign in to Supabase using GitHub or another SSO provider, Supabase receives certain profile details from that provider, such as your name, username, email, and profile picture, and uses them to operate your account and send you service messages.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
SSO authentication means Supabase receives profile data from your third-party accounts (such as GitHub) as part of login, and users should be aware of what data is shared during that authentication flow.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →If you log in to Supabase via GitHub SSO, Supabase receives your GitHub profile information including your name, email, username, language preference, and profile picture. This data is used to manage your account and send service communications.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We use single sign-on ("SSO") such as GitHub to allow a user to authenticate their account using one set of login information. We will have access to certain information from those third parties in accordance with the authorization procedures determined by those third parties, including, for example, your name, username, email address, language preference, and profile picture. We use this information to operate, maintain, and provide to you the features and functionality of the Service. We may also send you service-related emails or messages (e.g., account verification, purchase confirmation, customer support, changes or updates to features of the Site, technical and security notices).— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: SSO data flows implicate GDPR Article 6 (lawful basis for processing data received from third-party identity providers) and CCPA disclosure requirements regarding sources of personal information. The authorization scope is determined by the third-party identity provider (GitHub), and users' ability to limit data shared depends on those platforms' authorization settings. The FTC has jurisdiction over deceptive data collection practices. GOVERNANCE EXPOSURE: Low. SSO-based authentication is standard practice and the data categories described (name, email, username, language, profile picture) are routine. The key consideration is whether the scope of GitHub authorization is clearly communicated to users at the point of authentication and whether Supabase limits its access to the minimum necessary data. JURISDICTION FLAGS: EEA and UK users should confirm that data received via SSO is processed on an appropriate GDPR lawful basis, most likely contractual necessity for account operation. No heightened jurisdiction-specific exposure is apparent for this provision beyond standard GDPR transparency requirements. CONTRACT AND VENDOR IMPLICATIONS: Enterprise SSO deployments using GitHub or other providers should confirm that the data shared via SSO aligns with the enterprise's own data minimization policies and that GitHub's terms and privacy practices are acceptable in the enterprise's regulatory context. COMPLIANCE CONSIDERATIONS: Legal teams should verify that the scope of OAuth authorization requested from GitHub or other SSO providers is limited to the data categories described in the policy (name, email, username, language, profile picture) and that no additional data is silently collected. This should be periodically reviewed as SSO provider authorization APIs may change.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
SSO authentication means Supabase receives profile data from your third-party accounts (such as GitHub) as part of login, and users should be aware of what data is shared during that authentication flow.
If you log in to Supabase via GitHub SSO, Supabase receives your GitHub profile information including your name, email, username, language preference, and profile picture. This data is used to manage your account and send service communications.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.