Supabase may receive personal data about you from external marketing and business partners and combine it with what it already has, then use the combined profile to administer services and run marketing activities.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The combination of externally sourced data with internally collected data can create detailed user profiles that go beyond what users would expect from signing up for a developer platform, and the breadth of marketing partner involvement warrants scrutiny.
Interpretive note: The policy does not enumerate specific marketing partners or the categories of data received from them, making it difficult to assess the full practical scope of data combination.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Personal information such as your contact details, demographic data, and activity information may be combined from multiple sources including third-party marketing partners, potentially creating a richer profile than you knowingly provided to Supabase directly.
How other platforms handle this
We may share your personal information with third parties in the following circumstances: With service providers who perform services on our behalf, such as data analytics, marketing, customer service, and technology services. With financial partners, including banks, brokerage firms, and payment pr...
We may share your information with third parties that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with business partners who offer products or services that...
In order to provide you with services, Valve needs to share some data with the publisher or developer of the game (for example to verify your ownership of the game and register your Steam ID with the publisher), or with other third parties that Valve works with to provide services to you. Valve will...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may receive personal information about you from our business partners and service providers and combine this information with other data we collect from you. The third-parties may include website and service operators, payment processors, and marketing partners. The information may include contact information, demographic information, information about your communications and related activities, and information about your orders. We may use this information to administer and facilitate our services, your orders and our marketing activities.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 6 (lawful basis) and Article 13/14 (transparency about data sources), CCPA's requirements to disclose categories of personal information collected and sources, and the FTC Act's prohibition on unfair or deceptive practices. Where personal data is sourced from third parties and combined with existing records, GDPR Article 14 requires that individuals be informed of the source and categories of data within one month of receipt. Enforcement authorities include EU supervisory authorities, the UK ICO, the FTC, and state attorneys general. GOVERNANCE EXPOSURE: Medium. Data combination from marketing partners is common in SaaS companies but requires adequate lawful basis documentation under GDPR (typically legitimate interests, which must be balanced against data subject interests) and clear CCPA disclosure. The policy does not enumerate specific third-party marketing partners, which may make it difficult for users to assess the full scope of the data ecosystem. JURISDICTION FLAGS: EEA and UK users have the highest exposure given GDPR's transparency requirements for third-party-sourced data. California users may have rights to know about the categories of third parties from whom Supabase receives data. Marketing data combinations involving Illinois residents could engage BIPA if biometric data were involved, though no biometric collection is described. CONTRACT AND VENDOR IMPLICATIONS: Compliance teams should request from Supabase a list of marketing partners and service providers with whom data is shared or from whom data is received, to assess whether sub-processor or data-sharing agreements are in place and whether those third parties provide adequate protections. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether Supabase's legitimate interest basis (if claimed) for marketing data combination has been documented with a legitimate interest assessment. CCPA-subject enterprises should verify whether data sharing with marketing partners could constitute a sale or sharing of personal information under CCPA's amended definitions, triggering opt-out obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The combination of externally sourced data with internally collected data can create detailed user profiles that go beyond what users would expect from signing up for a developer platform, and the breadth of marketing partner involvement warrants scrutiny.
Personal information such as your contact details, demographic data, and activity information may be combined from multiple sources including third-party marketing partners, potentially creating a richer profile than you knowingly provided to Supabase directly.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.