Do I need to disclose Supabase (Database) in my privacy policy?

Yes. Supabase processes personal data on your behalf as a data processor, so you must disclose it in your privacy policy. You should specify that application data—including any personal information your users provide—is stored in Supabase's PostgreSQL database and subject to Supabase's privacy practices. This disclosure is required under GDPR, CCPA, and similar privacy regulations.

What data does Supabase (Database) collect or store?

Supabase stores whatever your application writes to its database, including user profiles, authentication data, uploaded files, and any application-specific information. It also logs real-time subscription events when users sync data and records edge function invocations. Supabase does not automatically collect personal data—you control what gets stored through your application logic. Always audit your database tables for personally identifiable information (PII) and document what you're storing.

Does Supabase (Database) require a cookie consent banner?

No. Supabase database itself does not set cookies. However, if your application uses Supabase Authentication alongside the database, or if you use other Supabase services that set tracking cookies, you may need consent banners for those features. Focus cookie disclosures on the specific services your site actually uses.

Who processes my data in Supabase and where is it stored?

Supabase Inc., a United States-based company, processes data as your service provider. Data can be hosted in US or EU regions depending on your configuration. Supabase maintains SOC 2 Type II compliance. For GDPR compliance when using US regions, ensure you have a Data Processing Agreement (DPA) in place and rely on standard contractual clauses (SCCs) for international data transfers.

Database & ORM

Privacy policy clauses for Supabase (Database)

Supabase is a PostgreSQL database platform with real-time capabilities and row-level security that developers use to store, manage, and sync application data. Websites use it to handle user information, application state, and file uploads with built-in access controls and live data synchronization features.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Supabase (Database) collects

Your privacy policy must disclose each of the following data types when you use Supabase (Database).

Application data stored in Supabase Postgres

Real-time subscription events

File storage uploads

Edge function invocation data

When does Supabase (Database) trigger privacy obligations?

When Supabase (Database) Triggers Privacy Obligations

Adding Supabase (Database) creates immediate data collection obligations the moment your application writes user data to its Postgres instance. Unlike client-side trackers, Supabase stores whatever schema and records your app persists—there is no passive default. This triggers:

GDPR (if you process EU residents' data): Article 13 (privacy notice) and Article 28 (processor agreement) apply instantly. Supabase Inc. becomes a data processor; you remain the controller. You must execute a Data Processing Addendum (DPA) with Supabase before storing personal data. Article 32 (security) and Article 5 (lawfulness, fairness, transparency) obligations also activate. If you store sensitive data (health, biometric), Article 9 consent rules apply separately.

Privacy policy clauses for Supabase (Database)

What data Supabase (Database) collects

When does Supabase (Database) trigger privacy obligations?

When Supabase (Database) Triggers Privacy Obligations

Where data goes

Common compliance pitfalls

Common Supabase (Database) Compliance Mistakes

Legal note

Sample privacy policy clause

What regulators look for

What Data Protection Regulators Examine in Supabase (Database) Audits

Frequently asked questions

Do I need to disclose Supabase (Database) in my privacy policy?

What data does Supabase (Database) collect or store?

Does Supabase (Database) require a cookie consent banner?

Who processes my data in Supabase and where is it stored?

Don't ship without Bandit.