securify logo light transparent png
Free Security Assessment

Privacy Policy

Privacy Policy — Supabase RLS Security Scanner

Last Updated: April 17, 2026

Introduction

This Privacy Policy describes how the Supabase RLS Security Scanner Chrome extension (“the Extension”, “we”, “our”) handles user data. We are committed to protecting your privacy and being transparent about our data practices.

The Extension is a security scanning tool that detects Supabase instances on web pages and checks for Row Level Security (RLS) misconfigurations. This policy explains what data the Extension accesses, how it is used, and how it is stored.

Data We Access

In order to perform its security scanning functionality, the Extension accesses the following types of data from the web pages you visit:

1. Supabase Project URLs

  • Public Supabase API endpoint URLs (e.g., https://<project-id>.supabase.co) found in page source code, inline scripts, meta tags, framework hydration data, and browser storage (localStorage/sessionStorage).

2. Supabase API Keys (JWT Tokens)

  • Publicly exposed Supabase anonymous (anon) API keys embedded in client-side code. These are public keys intended for client-side use by Supabase’s design.
  • The Extension identifies whether a key has the anon or service_role role for security assessment purposes.

3. Page Content (Read-Only)

  • The Extension reads the DOM content, inline scripts, meta tags, and framework hydration data (NEXT_DATA, NUXT, etc.) of web pages you visit solely to detect Supabase configurations.
  • The Extension also reads localStorage and sessionStorage entries that contain Supabase-related keys.

4. Network Resource Metadata

  • The Extension uses the browser’s Performance API to inspect the URLs of network requests made by the page (not the content of those requests) to detect connections to Supabase endpoints.

5. Scan Results

  • When you initiate a scan, the Extension queries the detected Supabase REST API endpoints using the publicly available API keys found on the page. The scan results include:
    • Table names and column names
    • Row counts and sample data (up to 100 rows per table, for preview purposes)
    • RPC function names and accessibility status
    • RLS (Row Level Security) status for each table

How We Use Your Data

All data accessed by the Extension is used exclusively for the following purpose:

  • Security Scanning: To detect Supabase instances, enumerate exposed tables and RPC functions, and assess whether Row Level Security policies are properly configured.

We do NOT use your data for:

  • Advertising or marketing
  • User profiling or tracking
  • Analytics or telemetry
  • Training machine learning models
  • Any purpose other than the security scanning functionality described above

Data Storage

Local Storage Only

All data processed and generated by the Extension is stored locally on your device using the Chrome chrome.storage.local API. Specifically:

  • Detected Supabase instances and their scan results are stored per browser tab.
  • A local cache of previously scanned instances is maintained to avoid redundant scans.
  • A disclaimerShown flag is stored to track whether the first-launch disclaimer has been displayed.

No External Storage

  • No data is transmitted to any external server, cloud service, or third-party.
  • No data is sent to us or any other party.
  • All processing happens entirely within your browser.

Data Retention

  • Tab-specific scan data is stored for the duration of the browsing session and is cleared when you use the “Clear” button in the Extension popup.
  • Cached scan results persist in local storage until you manually clear them or clear your browser’s extension data.
  • You can delete all stored data at any time by:
    1. Clicking the 🗑️ (Clear) button in the Extension popup, or
    2. Removing the Extension from your browser, or
    3. Clearing your browser’s extension storage via chrome://settings.

Data Sharing

We do NOT share, sell, trade, or transfer any user data to any third parties. Since all data remains on your local device, no data sharing occurs at any point.

Third-Party Services

The Extension does NOT use any third-party services, SDKs, analytics platforms, or external APIs (other than the Supabase REST APIs that are already publicly accessible on the web pages you visit).

Permissions Explained

Permission: activeTab
Purpose: To access and scan the content of the currently active tab when you interact with the Extension.

Permission: storage
Purpose: To save detected instances and scan results locally on your device using chrome.storage.local.

Permission: host_permissions (https://.supabase.co/, <all_urls>)
Purpose: To detect Supabase instances on any web page you visit and to make API requests to Supabase endpoints for security scanning.

Security

  • All data remains local to your device.
  • No network requests are made to any servers other than the publicly accessible Supabase REST API endpoints detected on web pages.
  • API keys used during scanning are the same publicly exposed keys already present in the web page’s client-side code.

Children’s Privacy

The Extension is not directed at children under the age of 13. We do not knowingly collect personal information from children.

Your Rights

  • Access: You can view all stored data by interacting with the Extension popup.
  • Deletion: You can delete all stored data at any time using the Clear button or by removing the Extension.
  • Opt-out: You can disable or uninstall the Extension at any time to stop all data processing.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be reflected by updating the “Last Updated” date at the top of this document. We encourage you to review this policy periodically.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the Extension’s data practices, please contact us at:

Email: contact@securifyai.co

Summary

Data collected: Supabase URLs, public API keys, table/column names, scan results
Data storage: Locally on your device only (chrome.storage.local)
Data shared with third parties: None
External servers contacted: Only publicly accessible Supabase REST API endpoints
Analytics / Tracking: None
User control: Full — clear or delete data at any time