Supabase may receive personal data about you from external marketing and business partners and combine it with what it already has, then use the combined profile to administer services and run marketing activities.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The combination of externally sourced data with internally collected data can create detailed user profiles that go beyond what users would expect from signing up for a developer platform, and the breadth of marketing partner involvement warrants scrutiny.
Interpretive note: The policy does not enumerate specific marketing partners or the categories of data received from them, making it difficult to assess the full practical scope of data combination.
Personal information such as your contact details, demographic data, and activity information may be combined from multiple sources including third-party marketing partners, potentially creating a richer profile than you knowingly provided to Supabase directly.
How other platforms handle this
We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We may also share your personal data with advertising partners to display relevant advertising to y...
In order to provide you with services, Valve needs to share some data with the publisher or developer of the game (for example to verify your ownership of the game and register your Steam ID with the publisher), or with other third parties that Valve works with to provide services to you. Valve will...
We may share your personal information with third party vendors and service providers that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service and marketing assistance. We may also share information with advertising and analyt...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may receive personal information about you from our business partners and service providers and combine this information with other data we collect from you. The third-parties may include website and service operators, payment processors, and marketing partners. The information may include contact information, demographic information, information about your communications and related activities, and information about your orders. We may use this information to administer and facilitate our services, your orders and our marketing activities.— Excerpt from Supabase's Supabase Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 6 (lawful basis) and Article 13/14 (transparency about data sources), CCPA's requirements to disclose categories of personal information collected and sources, and the FTC Act's prohibition on unfair or deceptive practices. Where personal data is sourced from third parties and combined with existing records, GDPR Article 14 requires that individuals be informed of the source and categories of data within one month of receipt. Enforcement authorities include EU supervisory authorities, the UK ICO, the FTC, and state attorneys general. GOVERNANCE EXPOSURE: Medium. Data combination from marketing partners is common in SaaS companies but requires adequate lawful basis documentation under GDPR (typically legitimate interests, which must be balanced against data subject interests) and clear CCPA disclosure. The policy does not enumerate specific third-party marketing partners, which may make it difficult for users to assess the full scope of the data ecosystem. JURISDICTION FLAGS: EEA and UK users have the highest exposure given GDPR's transparency requirements for third-party-sourced data. California users may have rights to know about the categories of third parties from whom Supabase receives data. Marketing data combinations involving Illinois residents could engage BIPA if biometric data were involved, though no biometric collection is described. CONTRACT AND VENDOR IMPLICATIONS: Compliance teams should request from Supabase a list of marketing partners and service providers with whom data is shared or from whom data is received, to assess whether sub-processor or data-sharing agreements are in place and whether those third parties provide adequate protections. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether Supabase's legitimate interest basis (if claimed) for marketing data combination has been documented with a legitimate interest assessment. CCPA-subject enterprises should verify whether data sharing with marketing partners could constitute a sale or sharing of personal information under CCPA's amended definitions, triggering opt-out obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The combination of externally sourced data with internally collected data can create detailed user profiles that go beyond what users would expect from signing up for a developer platform, and the breadth of marketing partner involvement warrants scrutiny.
Personal information such as your contact details, demographic data, and activity information may be combined from multiple sources including third-party marketing partners, potentially creating a richer profile than you knowingly provided to Supabase directly.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.