audit report
Supabase
Supabase's privacy policy is comprehensive and appears largely aligned with the observed tech stack. The site loads no third-party trackers, sets no cookies, and has no CSP header, yet the policy claims extensive use of cookies, analytics (Google Analytics 4, Posthog, Plausible), and advertising services (Google Ads, hCaptcha, Stape.io). This disconnect suggests either the policy reflects capabilities across Supabase's broader ecosystem (not just the marketing homepage), or the homepage deliberately minimizes tracking while other properties employ these tools. The policy transparently discloses 31 named third parties, data sharing practices, and user rights including withdrawal of consent, but the public homepage behavior does not validate the claimed tracking infrastructure.
findings
- note
No Content-Security-Policy header
A CSP header restricts what scripts the page can load. Its absence isn't a policy mismatch but is worth noting in a transparency report.
how we detected this → - note
Homepage vs. ecosystem tracking gap
The homepage loads zero third parties and sets no cookies, yet the privacy policy claims active use of Google Analytics 4, Posthog, Plausible, Google Ads, hCaptcha, and Stape.io. This is not a false claim, but reflects a discrepancy between the public landing page (which appears deliberately lean on tracking) and the broader Supabase ecosystem where these tools are likely deployed.
Observed: third_parties: [], cookies_set: [] Policy claims: uses_analytics: true, uses_advertising: true, named services include Google Analytics 4, Posthog, Plausible, Google Ads - note
Hashed email sharing for advertising audience creation
The policy discloses sharing of 'cryptographic hashes of email addresses' with advertising partners for audience management, which is a legitimate privacy-preserving technique. However, this is a subtle form of data sharing that may not be immediately apparent to users reading the policy casually.
Policy quote: 'We may share limited personal information, such as contact identifiers (including email addresses or cryptographic hashes of email addresses), with advertising and marketing partners' - info
No privacy-sensitive third parties detected
No analytics, advertising, tracking, or session replay vendors were observed on this page.
how we detected this → - info
AI input collection with explicit consent model
The policy clearly states AI tool inputs and outputs are collected as User Content, and explicitly offers withdrawal of consent for AI-powered services through account settings. This is transparent, but users should be aware that AI inputs (including potentially sensitive code or data) are retained and processed, likely including third-party AI providers like OpenAI and Amazon Bedrock listed in the policy.
Policy quote: 'This includes any inputs you provide to our AI-powered support tools and outputs generated in response to your inputs.' Policy quote: 'If you have provided consent to share certain data with third-party partners in relation to our AI-powered services, you can update your preferences or withdraw your consent at any time through your account settings.' - info
Email tracking in marketing communications
The policy acknowledges email open and click tracking in promotional messages, a common but often under-disclosed practice. Unsubscribe mechanisms are provided, but users are not explicitly warned upfront that marketing emails include tracking pixels.
Policy quote: 'Our marketing emails may include tracking technologies to help us understand whether an email was opened or a link was clicked within the email.'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| no third parties observed | ||||
policy claims
source · https://supabase.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (33)
Stripe, GitHub, Amazon Web Services, Google Cloud, Postmark, Twilio, Fly.io, PandaDoc, Atlassian, front.com, Clazar, Hex.tech, Clay, Orb, Hubspot, Tableau, Google Gsuite, Notion, Slack, Amazon Bedrock, OpenAI, Commonroom, Sentry, Posthog, Plausible, Google LLC, Vercel, Cloudflare, Configcat, Stape.io, Google Analytics 4, Google Ads, hCaptcha
retention
Personal information is retained for as long as necessary for the purposes outlined. Contact information for account holders is retained for the duration of the account plus 60 days after account closure. Retention periods vary by legal basis: legitimate interests (reasonable period), consent (until withdrawal or service end), contract (duration plus statute of limitations), legal obligation (period necessary to fulfill obligation), and legal claims (until hold is removed).
user rights
Users have the right to access, rectify, erase, restrict, and port their personal information. Users can withdraw consent for data processing based on consent. Users can object to processing based on legitimate interests and can opt out of marketing communications via unsubscribe links. Users can modify account information and User Content through account settings.
response headers
- hsts
- yes
- csp
- no
- server
- Vercel
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://supabase.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://supabase.comprovenance
This audit was generated by running
stackpeek
against https://supabase.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.