Skip to content
suparbase
Privacy

What we collect, why, and how to delete it.

Last updated: 2026-05-14. We are not lawyers; this is the plain-English summary.

The short version

Suparbase stores the absolute minimum required to do its job: your account, your saved Supabase connections, and an audit log of writes you perform. Your Supabase keys are AES-256-GCM encrypted before they ever touch a database row. They are never sent to a browser, never logged, and never read except inside a server-side proxy responding to one of your own requests.

What we collect

  • Account: email address, hashed password (bcrypt), display name if you supplied one, and account creation / last-login timestamps. If you sign in via GitHub OAuth, we also store the OAuth provider id and avatar URL.
  • Connections: the Supabase URL, hostname, role (derived from the JWT), and an AES-256-GCM ciphertext blob of the API key. Optionally a second ciphertext blob holding a direct Postgres connection string (used only by the RLS debugger and SQL playground).
  • Audit log: per-write rows containing user id, connection id, schema name, table name, primary key, HTTP verb, status code, before/after row snapshots (when the upstream returned a representation), and a timestamp.
  • AI usage: when you bring an OpenRouter key, we store an encrypted copy and the last-run token usage (prompt / completion / total). We do not retain conversation transcripts on the server; chat history lives in your browser memory only.
  • Schema analysis cache: AI-generated table descriptions keyed by a SHA-256 fingerprint of your schema, so we don't spend tokens regenerating the same analysis.
  • Operational logs: HTTP access logs at the hosting layer (timestamp, IP, path, status, user-agent), retained for 30 days. JWT-shaped substrings and Supabase keys are redacted before logs are written.

What we don't collect

  • Row data from your Supabase project. The proxy streams it through us; we never persist it.
  • Plaintext API keys, passwords, or Postgres URLs. The only persisted form is encrypted.
  • AI chat transcripts. They live in your browser tab and disappear when you close the panel.
  • Marketing-grade analytics. No third-party trackers, no fingerprinting scripts, no behavioural cookies.

How we use what we collect

  • Your account exists so we can identify you across sessions.
  • Connections exist so we can proxy your PostgREST / Storage / Auth-admin requests with the right key.
  • The audit log exists so you can see who changed what, when, and (where captured) what changed.
  • Operational logs exist so we can debug outages and detect abuse.

We do not sell or rent any of the above. We do not share it with third parties except as listed in Subprocessors below.

Subprocessors

On the hosted plan, three vendors process data on our behalf:

  • Postgres hosting: for Suparbase's own database (sessions, connections, audit log).
  • Application hosting: for the Next.js app.
  • Email: for password recovery and trial expiry notifications only. We send no marketing email.

All three are GDPR-compatible and have signed our Data Processing Agreement.

Encryption

Supabase keys and optional Postgres URLs are encrypted with AES-256-GCM using a key fromSUPARBASE_ENCRYPTION_KEY. The plaintext exists only as a request-scoped variable inside the server during the few milliseconds of a proxied request, then it's discarded.

Passwords (for email-and-password sign-ins) are hashed with bcrypt at cost 12. We never see your plaintext password and never email it to you.

Retention and deletion

  • You can delete any connection from /connections at any time. Doing so removes the encrypted key and cascades to any audit rows referencing it.
  • You can export your data as JSON from your account settings (connections, audit log entries, saved views) before deleting.
  • On cancellation of a hosted plan, your account is soft-deleted immediately and hard-deleted 30 days later, at which point all rows are removed from our database.

Cookies

We use one cookie: a signed, HTTP-only session cookie issued by NextAuth so you stay logged in. We do not use analytics or advertising cookies. We do not need a cookie banner because we do not need consent for the strictly-necessary session cookie.

Children

Suparbase is not intended for users under 16. We don't knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we'll delete the account.

Your rights

Depending on where you live (GDPR, CCPA, and similar regimes apply), you have the right to access, correct, port, or delete your data, and to lodge a complaint with a data protection authority. The account settings page and the contact email below are the fastest path for all of these.

Changes to this policy

We update this page when the answers above change. The Last updated date at the top is authoritative. Material changes will be announced via email.

Contact

For anything privacy-related, send a note via our contact form. For general support, same place.