You own your data, but you grant Supabase a broad license to use, copy, and display it as needed to operate the service.
This analysis describes what Supabase's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
While customer data ownership is confirmed, the operational license granted to Supabase is broad in scope and includes worldwide rights to reproduce and distribute customer data, which is the standard mechanism by which Supabase can store, back up, and deliver your data through its infrastructure.
The relocation of Supabase's legal entity from Delaware to Singapore may affect which jurisdiction's courts and laws apply to disputes, potentially impacting your ability to pursue claims in US courts and changing which consumer protection laws govern your relationship. The requirement to explicitly click 'I Accept' rather than accepting through sign-up or service use clarifies consent but does not substantively change the agreement's terms. The new section on AI-powered tools discloses that Supabase may use AI chatbots for customer support; review that section to understand how such tools may process your inquiries.
View change record →You retain ownership of all data you upload to Supabase, but the agreement grants Supabase a worldwide, royalty-free license to use and process that data to provide the service. This license is standard for cloud services but means your data may be processed across global infrastructure; review the DPA for data residency and transfer details.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Supabase has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"As between Customer and Supabase, Customer is and will remain the sole and exclusive owner of all right, title, and interest in and to all Customer Data, including all intellectual property rights therein. Customer hereby grants to Supabase a non-exclusive, royalty-free, worldwide license to reproduce, distribute, and otherwise use and display the Customer Data and perform all acts with respect to the Customer Data as may be necessary for Supabase to provide the Services to Customer.— Excerpt from Supabase's Supabase Terms of Service
REGULATORY LANDSCAPE: The customer data ownership clause and associated license engage GDPR Article 28 (processor obligations) and the principle that data controller instructions govern processor actions. The license language 'reproduce, distribute, and otherwise use and display' is operationally necessary for cloud services but should be read alongside the DPA to confirm that processing is limited to service delivery purposes. CCPA compliance depends on whether Supabase's processing is limited to the service provider role. GOVERNANCE EXPOSURE: Low to Medium. The data ownership confirmation is favorable to customers, but the breadth of the operational license and the interaction with the Aggregated Data carve-out means customers should confirm the DPA limits Supabase's processing to service delivery and does not permit secondary uses beyond aggregation. JURISDICTION FLAGS: EU/EEA customers should ensure the DPA includes appropriate Standard Contractual Clauses (SCCs) for international data transfers given Supabase's global infrastructure. Customers subject to data residency requirements (e.g., German Landesdatenschutz, French CNIL guidance) should confirm available regional hosting options. CONTRACT AND VENDOR IMPLICATIONS: The DPA is a critical companion document to this provision and should be reviewed to confirm scope limitations, sub-processor obligations, breach notification timelines, and data return/deletion procedures at contract end. COMPLIANCE CONSIDERATIONS: Data mapping exercises should capture Supabase as a processor and confirm that the processing scope in the DPA aligns with customer privacy notices; confirm sub-processor list and change notification mechanisms; assess data return and deletion procedures upon termination.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
While customer data ownership is confirmed, the operational license granted to Supabase is broad in scope and includes worldwide rights to reproduce and distribute customer data, which is the standard mechanism by which Supabase can store, back up, and deliver your data through its infrastructure.
You retain ownership of all data you upload to Supabase, but the agreement grants Supabase a worldwide, royalty-free license to use and process that data to provide the service. This license is standard for cloud services but means your data may be processed across global infrastructure; review the DPA for data residency and transfer details.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Supabase.