The policy authorizes Supabase to receive personal information from business partners, service providers, and marketing partners, and to combine this with internally collected data for service administration and marketing activities.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes data combination from multiple external sources including marketing partners, which may result in a more comprehensive profile of users than data collected directly from them. The categories of combined data include contact information, demographic information, communications activity, and order history.
The updated policy discloses that Supabase may use business contact information, including email domains, to identify organizations for sales and marketing outreach. The policy now explicitly states that personal information will be shared with Customer.io, a marketing communications service provider. For marketing communications, the policy relies on user consent for three purposes: sending marketing messages, using approximate location information to determine relevant communications, and combining personal information from different sources for relevance determination. These three consents operate independently, meaning you can grant or withdraw any of them without affecting the others. You can manage these marketing-related consents separately through the consent mechanisms available in your account or in response to marketing communications.
View change record →Under this clause, Supabase may receive and combine personal information from marketing partners and business partners with data already held about a user. The agreement states that this combined data may be used for marketing activities, and users may manage advertising preferences through the Privacy Settings tool.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may receive personal information about you from our business partners and service providers and combine this information with other data we collect from you. The third-parties may include website and service operators, payment processors, and marketing partners. The information may include contact information, demographic information, information about your communications and related activities, and information about your orders. We may use this information to administer and facilitate our services, your orders and our marketing activities.— Excerpt from Supabase's Supabase Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages GDPR Article 6 (lawful basis for processing), Article 14 (transparency obligations for data obtained from third parties), and CCPA disclosure requirements for categories of third-party data sources. The FTC Act Section 5 applies to unfair or deceptive data combination practices. Enforcement authorities are EU supervisory authorities, the California Privacy Protection Agency, and the FTC. 2) GOVERNANCE EXPOSURE: Medium. The combination of externally sourced data with internally collected data may require additional transparency disclosures under GDPR Article 14, particularly if users are not informed at the time their data is obtained from third parties. CCPA requires disclosure of categories of sources from which personal information is collected. 3) JURISDICTION FLAGS: EU/EEA users are entitled under GDPR Article 14 to be informed when their data is obtained from third parties. California residents have CCPA rights to know the categories of sources from which personal information is collected. These rights may require enhanced disclosure beyond what the current policy provides. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should assess whether Supabase's use of marketing partner data for combined profiling is consistent with their own data governance policies, particularly where employees access Supabase using corporate credentials. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that GDPR Article 14 notices are provided where data is obtained from third-party sources. CCPA privacy notice updates may be needed to enumerate the categories of third-party sources. Consent mechanism audits should confirm that marketing data combination is properly disclosed.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes data combination from multiple external sources including marketing partners, which may result in a more comprehensive profile of users than data collected directly from them. The categories of combined data include contact information, demographic information, communications activity, and order history.
Under this clause, Supabase may receive and combine personal information from marketing partners and business partners with data already held about a user. The agreement states that this combined data may be used for marketing activities, and users may manage advertising preferences through the Privacy Settings tool.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.