Does your website use third-party services? Get GDPR compliant in minutes.

Supabase

What does Supabase do?

Supabase is an open source backend platform that bundles a Postgres database, authentication, storage, realtime websockets and edge functions behind a simple developer API. Projects run on AWS in the region chosen by the customer, including several EU regions. From a GDPR perspective, Supabase Inc. is a processor that handles application data on the merchant's behalf, and end users interacting with the public website do not normally see Supabase cookies unless Supabase Auth is exposed to them.

What Supabase is and how it fits in a website stack

Supabase is an open source Firebase alternative that bundles a managed Postgres database, an authentication service, file storage, Realtime websockets and edge functions into a single backend. Developers create a project, choose an AWS region and consume the platform through the supabase-js SDK, the REST API auto generated from Postgres, the GraphQL endpoint or direct SQL connections. Supabase is widely used as the backend of Next.js, SvelteKit, Nuxt and Expo applications where the entire data layer, authentication and file uploads are delegated to Supabase.

What data Supabase processes

Supabase processes the application data the customer pushes into the project: user accounts in the auth.users table, profile and business data in custom tables, files in Storage buckets, realtime payloads broadcasted through Postgres replication and audit logs. Supabase Auth issues a JSON Web Token, an access token cookie (sb-access-token), a refresh token cookie (sb-refresh-token) and stores the user session in the browser localStorage when the JavaScript SDK is used. The platform also collects standard request metadata (IP address, User Agent) for security and rate limiting.

GDPR and ePrivacy implications

Supabase Inc. is a processor for the customer''s application data and a controller for limited account, billing and security purposes. Supabase Auth cookies are strictly necessary for the user to remain logged in and benefit from the ePrivacy storage exemption, so no consent is required for them. Personal data stored in the database, in Storage or in Realtime channels inherits the legal basis chosen by the customer (typically performance of a contract under Article 6(1)(b) GDPR for an authenticated SaaS, or consent under Article 6(1)(a) for marketing data).

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

International data transfers

Supabase projects can be deployed in eu-central-1 (Frankfurt), eu-west-1 (Ireland), eu-west-2 (London) or eu-west-3 (Paris). Even when an EU region is chosen, the Supabase dashboard, support, observability and billing infrastructure operate from the United States. Transfers rely on the Supabase Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3, encryption at rest, SOC 2 Type II, HIPAA for the enterprise plan and tightly scoped support access. Long term backups are stored in the same AWS region as the project.

Practical compliance steps

Sign the Supabase Data Processing Addendum, select an EU region for production, restrict the use of insecure RLS policies, enable audit logs and define retention rules for auth.users, user metadata and storage buckets. Document Supabase as a processor in your record of processing activities, mention Supabase Inc., the United States destination and the SCC and DPF safeguards in the privacy notice, and ensure that any analytics or marketing integration plugged into Supabase (Segment, PostHog, Hotjar, Meta Pixel) honours the visitor''s consent state.

GDPR consent category

Analytics

Websites using Supabase must obtain user consent under GDPR regulations.

Legal basisPerformance of a contract (Art. 6(1)(b) GDPR) for accounts and application data; consent (Art. 6(1)(a) GDPR) if Supabase Auth uses optional analytics or if the application sets non essential cookies; legitimate interest (Art. 6(1)(f) GDPR) for security logs

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive (Cookie Law), CCPA, HIPAA (enterprise)

DPIA considerations

A DPIA is recommended when Supabase stores significant volumes of personal data (user accounts, profiles, health, financial or location data), when the application performs systematic profiling of EU users or when Realtime is used to broadcast personal data live. Routine backend usage for a marketing waiting list or a contact form does not normally require a DPIA.

Sample consent text

This application uses Supabase, a backend platform operated by Supabase Inc. (USA) on AWS infrastructure in an EU region. Supabase stores your account, profile and application data. Strictly necessary cookies and tokens are set by Supabase Auth to maintain your session. By creating an account, you accept this processing under EU Standard Contractual Clauses and the EU US Data Privacy Framework.

Technical details

Tracking methodBackend service: REST and GraphQL APIs, Postgres database, Realtime websockets, Auth, Storage, Edge Functions; supabase-js client in the frontend or server

Server locationCustomer chosen region on AWS (eu-central-1, eu-west-1, eu-west-2, eu-west-3 available); company headquartered in San Francisco (Supabase Inc., USA)

Cookieless tracking availableYes

Data transferred outside the EUSupabase Inc. is incorporated in the United States and operates the Supabase platform on AWS. Each project is provisioned in a single AWS region chosen by the customer, including EU regions. Even for EU projects, the dashboard, support, billing and monitoring infrastructure are operated from the United States. Transfers rely on the Supabase Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework.

Third-party domains contacted

supabase.comsupabase.cosupabase.insupabase.io

Cookies placed

Name	Type	Duration	Purpose
sb-access-token	Strictly necessary	1 hour (configurable)	Stores the JWT access token issued by Supabase Auth to authenticate the user against the project APIs.
sb-refresh-token	Strictly necessary	7 days (configurable)	Stores the refresh token used to obtain a new access token without re prompting the user for credentials.
sb-{project-ref}-auth-token	Strictly necessary	7 days (configurable)	Composite Supabase Auth helper cookie used by the SSR helpers (next.js, sveltekit) to read the session on the server.

Supabase collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Which cookies does Supabase set?

When the application uses Supabase Auth in the browser, Supabase sets strictly necessary cookies: sb-access-token (JWT access token), sb-refresh-token (refresh token) and a sb- helper cookie for SSR. The cookies are scoped to the application domain (first party). Supabase Auth also stores the session in localStorage when the JavaScript SDK is configured to do so.

Is consent required for Supabase under GDPR and ePrivacy?

Cookies set by Supabase Auth are strictly necessary to maintain an authenticated session and benefit from the ePrivacy storage exemption, so no consent is required for them. Consent is required if the application stores marketing or analytics data through Supabase that goes beyond the user account, or if the frontend bundles non essential trackers next to Supabase.

What is the legal basis for processing data through Supabase?

Account creation, login and the SaaS itself rely on performance of a contract under Article 6(1)(b) GDPR. Security logs and rate limiting rely on legitimate interest under Article 6(1)(f) GDPR. Marketing data, newsletter opt ins and analytics stored in Supabase rely on consent under Article 6(1)(a) GDPR.

How are data transfers to the United States protected?

Supabase signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Production data lives in the AWS region selected by the customer (eu-central-1, eu-west-1, eu-west-2, eu-west-3). Supplementary measures include TLS 1.3, encryption at rest, SOC 2 Type II, HIPAA for enterprise customers and tightly scoped support access.

Is a DPIA required for Supabase?

A DPIA is recommended when Supabase stores significant volumes of personal data (user accounts, profiles, health data, financial data, location data), when the application performs systematic profiling of EU users or when Realtime broadcasts personal data live. For a small waiting list, contact form or internal tool a DPIA is generally not required.

How do I implement Supabase in a GDPR compliant way?

Sign the Supabase Data Processing Addendum, select an EU region for production, enable strict Row Level Security policies, use service role keys only in secure server side environments, enable audit logs, define retention rules for users and storage and document Supabase as a processor in your record of processing activities. Mention Supabase Inc., the EU region and the SCC plus DPF safeguards in the privacy notice.

What are the alternatives to Supabase in Europe?

European or self hosted alternatives include self hosted Supabase (the project is open source under Apache 2.0), Nhost (Germany), Hasura (US and EU), Appwrite (Netherlands, self hosted or cloud), Pocketbase (open source, self hosted), Directus (open source, self hosted) and OVHcloud Managed Postgres combined with custom authentication.

How do I update the cookie policy when using Supabase?

List Supabase Inc. as a processor for the backend, mention the strictly necessary Supabase Auth cookies (sb-access-token, sb-refresh-token) and explain that they maintain the user session, state that the data is stored in an AWS EU region selected by the publisher and link to the Supabase Privacy Policy. No consent line item is required for these cookies because they benefit from the strictly necessary exemption.

Get compliant — Try FlowConsent free

Free plan · 10-min setup