Do we need to disclose Supabase Auth in our privacy policy?

Yes. Supabase Auth processes personal data including email addresses and IP addresses on your behalf. Under GDPR and CCPA, you must disclose all third-party processors that handle user data. Omitting Supabase Auth from your privacy policy creates legal liability and violates transparency obligations.

What specific data does Supabase Auth collect?

Supabase Auth collects email addresses, hashed passwords, OAuth tokens (when users authenticate via social providers), user metadata you configure, and IP addresses during authentication attempts. Passwords are cryptographically hashed and never stored in plain text. The specific metadata collected depends on your application configuration.

Does Supabase Auth use cookies that require consent?

Supabase Auth does not set cookies itself. However, it may use local storage or session tokens to maintain authentication state. These are not tracking cookies and typically do not require explicit consent under GDPR or CCPA, though your policy should document how authentication tokens are stored and used.

Who processes our data and where is it stored?

Supabase Inc., a United States-based company, processes data as your service provider. By default, data is stored on Supabase's US-based cloud infrastructure. Supabase also offers self-hosting options that allow you to control data location. If using the cloud service, ensure your privacy policy discloses US data transfer and complies with applicable cross-border regulations.

Authentication

Privacy policy clauses for Supabase Auth

Supabase Auth is an open-source authentication system that enables user sign-up, login, and account management via email, OAuth providers, and magic links. Websites use it to securely manage user identities and control access to protected content or features.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Supabase Auth collects

Your privacy policy must disclose each of the following data types when you use Supabase Auth.

Password (hashed)

OAuth tokens

User metadata

IP address

When does Supabase Auth trigger privacy obligations?

Installation triggers immediate obligations

The moment you integrate Supabase Auth into your application, you begin collecting email addresses, hashed passwords, IP addresses, and OAuth tokens — all personally identifiable data under GDPR Article 4(1) and CCPA Section 1798.100. This is not passive; the SDK actively captures these data points during signup and login.

Which regulations apply — and why

GDPR

Common compliance pitfalls

Pitfall 1: Omitting OAuth token handling from privacy notices

When you enable OAuth (Google, GitHub, etc.), Supabase Auth exchanges user credentials for access and refresh tokens that are stored server-side. Many indie founders disclose "email collection" in their privacy policy but fail to mention that OAuth tokens are also collected and what third-party services (Google, GitHub) receive data. Under GDPR Article 13(2)(c) and CCPA Section 1798.100, you must disclose the *specific categories* of data and recipients. Regulators in enforcement actions (e.g., EDPB decisions on Meta's cookie walls) scrutinize whether users knew third-party tokens were being collected. Consequence: incomplete disclosures can trigger DPA warnings and in some cases fines under GDPR Article 83(4).

Pitfall 2: Confusing Supabase's "user metadata" field with optional data

Supabase Auth includes a "user_metadata" column that developers often populate with profile data (name, avatar URL, phone). This field is not separate from the authentication table — it's part of the same record collected during signup. Teams frequently fail to update consent flows or privacy policies to account for this metadata collection, treating it as "optional developer data" rather than declared personal processing. If your signup form only says "we collect email," but your code stores metadata, you've created a mismatch. Consequence: consent is invalid under GDPR Article 7(4) (ambiguity invalidates consent), and audits will flag scope creep.

Pitfall 3: Forgetting to update the DPA when self-hosting

Supabase is self-hostable; some teams deploy it on their own servers to "avoid" the US processor. However, the standard Supabase DPA only covers cloud hosting. If you self-host Supabase Auth, Supabase may argue the DPA no longer applies, leaving you without a processor agreement *and* creating ambiguity about data location in privacy notices. Consequence: your privacy policy claims data stays in-country, but you have no signed agreement with Supabase confirming the self-hosted arrangement, violating GDPR Article 28(3).

Privacy policy clauses for Supabase Auth

What data Supabase Auth collects

When does Supabase Auth trigger privacy obligations?

Installation triggers immediate obligations

Which regulations apply — and why

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting OAuth token handling from privacy notices

Pitfall 2: Confusing Supabase's "user metadata" field with optional data

Pitfall 3: Forgetting to update the DPA when self-hosting

Legal note

Sample privacy policy clause

What regulators look for

Audit priorities

Frequently asked questions

Do we need to disclose Supabase Auth in our privacy policy?

What specific data does Supabase Auth collect?

Does Supabase Auth use cookies that require consent?

Who processes our data and where is it stored?

Don't ship without Bandit.