Does Supabase Edge Functions require disclosure in our privacy policy?

Yes. Supabase Edge Functions processes user data including function invocation payloads, database queries, request metadata, and authentication tokens. Under GDPR and CCPA, you must disclose this processing activity, identify Supabase Inc. as a data processor, and explain the purpose of data collection. Omitting this from your privacy policy creates legal compliance gaps.

What specific data does Supabase Edge Functions collect?

Supabase Edge Functions collects function invocation payloads (request bodies sent to your functions), database queries executed within functions, request metadata (IP addresses, headers, timestamps), and authentication tokens used for verification. If your functions process personal information—names, email addresses, user IDs—that data is collected as part of the invocation payload and should be reviewed for PII exposure.

Does Supabase Edge Functions require a cookie consent banner?

No. Supabase Edge Functions does not set cookies and therefore does not require cookie consent under GDPR or CCPA. However, if your website uses other Supabase services (like Auth or Realtime) alongside Edge Functions, you may need consent for those separate services.

Who processes data from Supabase Edge Functions and where is it stored?

Supabase Inc., a United States-based company, acts as the data processor. Edge Functions run on Deno Deploy infrastructure. Data transfers occur to the US, which has no adequacy decision under GDPR; you must establish Standard Contractual Clauses (SCCs) or another valid transfer mechanism. Review Supabase's privacy policy at https://supabase.com/privacy for current data handling practices and residency options.

Cloud & Backend

Privacy policy clauses for Supabase Edge Functions

Supabase Edge Functions is a serverless computing platform that runs Deno-based functions on distributed servers, allowing websites to execute backend code without managing infrastructure. Organizations use it to process data, authenticate users, and handle API requests with automatic scaling.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Supabase Edge Functions collects

Your privacy policy must disclose each of the following data types when you use Supabase Edge Functions.

Function invocation payloads

Database queries from functions

Request metadata and auth tokens

When does Supabase Edge Functions trigger privacy obligations?

Installation & Immediate Data Flows

The moment you deploy a Supabase Edge Function, you begin processing user data in a third-party cloud environment (Deno Deploy infrastructure, operated by Supabase Inc., US-based). This triggers obligations immediately because:

Data in motion: Function invocation payloads, request headers, and authentication tokens are transmitted to Supabase's servers. If your function queries a Supabase database, additional PII may flow through the function's execution context. These are not processed locally—they leave your infrastructure.

GDPR (if you serve EU users): If any user is in the EU, GDPR Articles 5 (lawfulness, transparency) and 28 (processor agreement) activate. You must have a Data Processing Agreement (DPA) with Supabase Inc. in place *before* deploying. Supabase provides a DPA, but you must execute it. Additionally, your privacy policy must disclose that function data is processed in the United States (GDPR Article 13/14).

Common compliance pitfalls

1. Forgetting the Data Processing Agreement (DPA)

Many indie founders deploy Edge Functions without executing a formal DPA with Supabase Inc. The mistake: treating Supabase as a simple infrastructure provider rather than a data processor under GDPR Article 28. Supabase *does* provide a DPA template, but it must be signed. Without it, you have no legal basis for transferring EU user data offshore. Regulators (particularly DPAs in Ireland, Germany, or the UK) flag unsigned processor contracts as the first violation. The consequence: GDPR enforcement action, fines up to 4% of annual revenue, and potential function suspension orders during audit.

2. Miscategorizing or Undisclosing Function Payloads in Privacy Policies

Operators often write generic privacy policies ("we use cloud services") without naming what data Edge Functions specifically receive. If your function accepts email addresses, user IDs, or behavioral data, these must be itemized in privacy notices under GDPR Article 13 and CCPA Section 1798.100. Auditors check whether the privacy policy's data categories match actual function signatures in your codebase. Failing to disclose that authentication tokens are processed in Edge Functions is a common gap. Consequence: failed DPA compliance audit and user rights violations (users cannot exercise access or deletion rights if you haven't disclosed what data flows where).

3. Inheriting Database Security Without Auditing Function Logic

Because Edge Functions query Supabase databases, operators assume the database's row-level security (RLS) policies are sufficient. This misses the fact that functions execute in a separate context; if a function lacks input validation or has overly broad database queries, it can leak data outside RLS protections. A function might log request data, cache results, or make third-party API calls without applying the same data minimization you'd expect from the database. Consequence: data exposure that violates GDPR Article 5(1)(c) (data minimization) and CCPA's security standards, plus breach notification liability if unauthorized access occurs.

Privacy policy clauses for Supabase Edge Functions

What data Supabase Edge Functions collects

When does Supabase Edge Functions trigger privacy obligations?

Installation & Immediate Data Flows

Where data goes

Common compliance pitfalls

1. Forgetting the Data Processing Agreement (DPA)

2. Miscategorizing or Undisclosing Function Payloads in Privacy Policies

3. Inheriting Database Security Without Auditing Function Logic

Legal note

Sample privacy policy clause

What regulators look for

GDPR & UK DPA Audit Priorities

CCPA Audit Priorities

First Audit Flag

Frequently asked questions

Does Supabase Edge Functions require disclosure in our privacy policy?

What specific data does Supabase Edge Functions collect?

Does Supabase Edge Functions require a cookie consent banner?

Who processes data from Supabase Edge Functions and where is it stored?

Don't ship without Bandit.