Privacy Policy
Last updated: July 4, 2026
This Privacy Policy explains how Denvo LLC ("Denvo", "we", "us") collects and uses personal data when you visit the SupaClone website, create an account, connect a Supabase project, run clone jobs, or manage billing.
SupaClone is operated by Denvo LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States. This policy is written with the EU/EEA General Data Protection Regulation (GDPR) in mind and also covers visitors from other regions.
1. Controller and contact
The controller responsible for processing described in this policy is Denvo LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States. For all privacy requests, including requests from users in the European Economic Area, the United Kingdom, or Switzerland, contact: privacy@supaclone.io.
2. Data we collect
Account data: when you sign in with GitHub (the only supported sign-in method), we receive and store your GitHub user id, email address, name, and avatar URL, together with organization membership, role, settings, and authentication session metadata managed through Supabase Auth.
Integration data: to connect your Supabase projects, we store Supabase OAuth connection metadata, project references, project names, and clone configuration. If you provide a database password or connection string, we store the resulting connection string encrypted with AES-256-GCM before it is written to the database, and your Supabase OAuth access and refresh tokens are encrypted the same way. These credentials are used only to run the clone workflows you request.
Clone data: job status, run history, worker metadata, progress events, warnings, verification reports, selected schema metadata, and operational logs needed to complete and debug clone runs. Where a clone touches personal data inside your own project, we process it on your behalf as described in our Data Processing Addendum.
Billing data: Stripe customer identifiers, subscription status, billing plan, price, checkout metadata, invoices, and payment lifecycle events. Full payment details (such as card numbers) are collected and processed by Stripe, not by us.
Technical data: our hosting provider records server logs including IP address, request headers, and timestamps for security and operations. Our error-tracking provider receives error reports as described in section 5.
Support data: if you contact us, we process the content of your message and your contact details to answer your request.
3. Purposes and legal bases
Performance of a contract (Art. 6(1)(b) GDPR): creating and managing your account, connecting Supabase projects, queuing and running clone jobs, generating reports, enforcing plan limits, providing support, and processing subscriptions and payments.
Legitimate interests (Art. 6(1)(f) GDPR): securing the service, preventing abuse and fraud, monitoring errors and availability through Sentry, keeping operational logs, and defending legal claims. Our interest is running a reliable, secure service; you may object as described in section 10.
Consent (Art. 6(1)(a) GDPR): usage analytics through Google Analytics and any other non-essential cookies. These run only after you consent and you can withdraw consent at any time with effect for the future.
Legal obligations (Art. 6(1)(c) GDPR): retaining billing and tax records and responding to lawful requests from authorities.
4. Cookies
Strictly necessary cookies are set without consent because the service cannot work without them: Supabase authentication session cookies that keep you signed in, and short-lived OAuth security cookies (state and PKCE verifier, maximum age 10 minutes) used while connecting your Supabase account. These store no tracking profiles.
Analytics cookies from Google Analytics are set only after you consent through the cookie settings. You can decline or withdraw consent at any time via the cookie settings without affecting your ability to use SupaClone. If you decline, no analytics cookies are set.
5. Analytics and error tracking
Google Analytics (Google LLC, United States): with your consent, we use Google Analytics to understand how the website and application are used. Google Analytics sets cookies and processes pseudonymous identifiers, truncated IP addresses, device information, and interaction events. Legal basis: consent (Art. 6(1)(a) GDPR).
Sentry (Functional Software, Inc.): we use Sentry to collect error and crash reports so we can detect and fix failures. Error reports can include IP address, browser and device information, request metadata, and a pseudonymous user identifier. Legal basis: legitimate interest in operating a reliable service (Art. 6(1)(f) GDPR). Data is hosted in European Union (EU).
6. Sharing and subprocessors
We share personal data with service providers only as needed to operate SupaClone, under contracts that restrict how they may use it. The current service-provider list is:
| Provider | Purpose | Data | Role | Location |
|---|---|---|---|---|
| Vercel | Hosting for the public website and Next.js web application. | HTTP requests, IP addresses, headers, logs, and deployment metadata. | Subprocessor / hosting provider | United States / global infrastructure |
| Supabase | Authentication, application database, row level security, Supabase OAuth integration, and connected project management workflows. | Account data, organization data, sessions, connected project metadata, encrypted integration credentials, clone jobs, reports, and billing state stored by SupaClone. | Subprocessor / application backend | East US (us-east-1) |
| Stripe | Checkout, subscriptions, customer portal, invoices, taxes, fraud prevention, and payment lifecycle webhooks. | Customer identifiers, email address where provided, billing metadata, subscription status, invoices, payment events, and payment method data handled by Stripe. | Independent controller for payments and subprocessor for billing operations | United States / global infrastructure |
| GitHub | OAuth sign-in for SupaClone accounts. | GitHub account identity data made available during authentication, such as user id, email address, name, avatar, and OAuth session metadata. | Independent controller / authentication provider | United States / global infrastructure |
| Supabase Management API | Project connection, project metadata reads, and selected project configuration clone workflows authorized by the customer. | Supabase project references, OAuth tokens, project metadata, selected configuration fields, Storage metadata, Edge Function metadata, and clone-operation responses. | External service controlled by the customer's Supabase account | Region depends on the connected Supabase organization and project |
| Sentry | Application error tracking and performance monitoring to detect, diagnose, and fix failures in the web application and clone workers. | Error and crash reports, stack traces, request metadata, IP address, browser and device information, and pseudonymous user identifiers included in error context. | Subprocessor / error monitoring provider | European Union (EU) |
| Google Analytics (Google LLC) | Usage analytics for the public website and application, loaded only after you give consent through the cookie settings. | Cookie identifiers, pseudonymous client id, truncated IP address, device and browser information, pages visited, and interaction events. | Subprocessor / analytics provider (consent-based) | United States / global infrastructure |
| Snaplet Snapshot / Copycat | Local worker tooling used only when structure + data clone modes are enabled, including anonymized data transforms. | Selected database schema metadata and selected table data during worker execution, only while a data clone mode is enabled. Data is processed inside the SupaClone worker environment and is not sent to Snaplet. | Software dependency used inside SupaClone worker | Worker deployment region |
We do not sell personal data and do not share it with third parties for their own advertising. We may disclose data where required by law, to enforce our terms, or as part of a merger or acquisition, in which case this policy continues to apply.
7. International transfers
Denvo LLC is located in the United States, so personal data of EU/EEA, UK, and Swiss users is transferred to and processed in the United States and other countries where our providers operate.
Where a provider is certified under the EU-U.S. Data Privacy Framework (including the UK Extension and the Swiss-U.S. DPF), such as Stripe, GitHub, and Google, transfers rely on that adequacy decision. For other transfers we rely on the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) with supplementary measures such as encryption in transit and at rest. You can request a copy of the applicable safeguards via privacy@supaclone.io.
8. Security
We protect personal data with HTTPS/TLS in transit, server-side authorization checks, Supabase row level security, service-role access only in trusted server contexts, and AES-256-GCM encryption for stored integration secrets such as OAuth tokens and database connection strings. Database connections to your projects use TLS certificate verification by default.
No service can guarantee perfect security. You should use least-privilege Supabase access, keep your accounts secure, and review clone targets before production use.
9. Retention and deletion
We keep account, project, billing, and clone job data while your account is active and as long as needed to provide the service, enforce billing, debug failures, and comply with legal obligations. Operational and error logs are retained only for as long as needed for security monitoring and debugging and are then deleted or anonymized.
Organization owners can delete the account from settings. Deletion cancels in-flight clone jobs, deletes the related Stripe customer where present, deletes the organization and its records (including encrypted project credentials and connected project data), and deletes the authenticated user. Stripe may retain invoices and payment records where legally required for accounting and tax purposes, and we retain billing records for the statutory retention periods.
10. Your rights under the GDPR
If the GDPR applies to you, you have the right of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and the right to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw it at any time with effect for the future.
To exercise these rights, contact privacy@supaclone.io. You also have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state of your residence, workplace, or the place of the alleged infringement.
When SupaClone processes personal data contained in your own connected projects on your behalf, we act as processor and you are responsible for handling requests from your own end users; we will assist as described in the Data Processing Addendum.
11. US state privacy rights
Depending on your state of residence (for example under the California Consumer Privacy Act), you may have rights to know, access, correct, and delete personal information, and to opt out of the sale or sharing of personal information. We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise these rights, contact privacy@supaclone.io. We will not discriminate against you for exercising them.
12. Children
SupaClone is a developer tool intended for business and professional use and is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this policy
We may update this policy as the service, our providers, or legal requirements change. We will post the updated version on this page with a new "Last updated" date and, for material changes, notify you in the application or by email where appropriate.
14. Contact
For privacy requests and questions about this policy, contact: privacy@supaclone.io. Postal address: Denvo LLC, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM 87110, United States.