Privacy Policy
Last Updated: March 2026
Visatics Ltd., trading as SupaSafe ("we", "us", "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the SupaSafe service at supasafe.co.
SupaSafe is a database backup service for Supabase projects. This policy covers both the personal data we collect to operate your account and the database backup data we process on your behalf.
Visatics Ltd. is registered in England and Wales (company number 15339210) with its registered address at 51 Audley Park Road, Bath, UK. BA1 2XL. For the purposes of data protection law, Visatics Ltd. is the data controller for your account data and a data processor for your database backup data. Our contact details are provided at the end of this document.
1. Information We Collect
1.1 Account Information
When you register for SupaSafe, we collect your name, email address, and payment information (processed via our third-party payment provider). We also collect your Supabase project connection details necessary to perform backups, including database host, port, and database name.
1.2 Usage Data
We automatically collect information about how you interact with our service, including backup schedules and history, backup sizes and durations, feature usage and preferences, IP addresses and browser information, and timestamps of account activity.
1.3 Database Backup Data
When performing backups, SupaSafe creates copies of your Supabase database. This backup data may contain any information stored in your database, including personal data of your own users or customers. We process this data solely for the purpose of providing the backup service and do not access, analyse, or use the contents of your backups for any other purpose.
2. How We Use Your Information
We use your account and usage data to provide, maintain, and improve the SupaSafe service; process payments and manage your subscription; send you service-related communications, including backup status notifications, security alerts, and account updates; provide technical support; comply with legal obligations; and detect and prevent fraud or abuse of our service.
We do not sell your personal data to third parties. We do not use the contents of your database backups for advertising, analytics, or any purpose other than providing the backup and restoration service.
3. Legal Basis for Processing
Under the UK GDPR, we process your personal data on the following legal bases:
Contract performance: Processing your account data and database backups is necessary to provide the SupaSafe service you have subscribed to.
Legitimate interests: We process usage data to improve our service, ensure security, and prevent abuse. We have assessed that these interests do not override your fundamental rights and freedoms.
Legal obligation: We may process data where required to comply with applicable laws, such as tax and accounting requirements.
Consent: Where we send marketing communications, we do so based on your consent, which you may withdraw at any time.
4. Data Storage and Security
We take the security of your data seriously and employ multiple layers of encryption and security controls to protect both your account information and your database backups.
4.1 Encryption in Transit
All data transmitted between your Supabase database and SupaSafe's infrastructure is encrypted using TLS 1.2 or higher. This applies to database connections during backup operations, API communications between your browser and SupaSafe, and all internal service-to-service communications within SupaSafe's infrastructure.
4.2 Encryption at Rest — Standard
All backup data stored by SupaSafe is encrypted at rest using AES-256 server-side encryption provided by our storage infrastructure (Backblaze B2). This encryption is applied automatically to all subscription tiers, including the Free tier. Encryption keys are managed by the storage provider and are rotated in accordance with industry best practices.
4.3 Encryption at Rest — Zero-Knowledge (Premium Feature)
Subscribers on eligible tiers may enable zero-knowledge encryption, which provides an additional layer of client-side encryption ensuring that SupaSafe has no ability to read the contents of your backups. This feature uses a hybrid envelope encryption scheme:
Envelope encryption model: Each backup is encrypted with a unique, randomly generated symmetric Data Encryption Key (DEK). The DEK is then encrypted with your asymmetric Key Encryption Key (KEK) and stored alongside the backup.
Symmetric layer (AES-256-GCM): The bulk encryption of backup data uses AES-256 in Galois/Counter Mode (GCM). AES-256-GCM provides both confidentiality and authenticated encryption, meaning any tampering with the encrypted backup data will be detected upon decryption. A unique initialisation vector (IV) is generated for each backup operation.
Asymmetric layer (RSA-4096): Your Key Encryption Key uses RSA with a 4096-bit key pair. The public key is stored by SupaSafe and used to encrypt each backup's DEK. The private key is held exclusively by you and is never transmitted to or stored by SupaSafe. Without your private key, neither SupaSafe nor any third party can decrypt your backup data.
Key management: You are solely responsible for the secure storage of your private key. If your private key is lost, SupaSafe cannot recover your encrypted backups. We strongly recommend storing your private key in a secure key management system or hardware security module and maintaining offline backup copies of your private key.
4.4 Encryption Summary
| Protection Layer | Standard (All Tiers) | Zero-Knowledge (Premium) |
|---|---|---|
| In Transit | TLS 1.2+ | TLS 1.2+ |
| At Rest (Server-Side) | AES-256 (Backblaze B2) | AES-256 (Backblaze B2) |
| At Rest (Client-Side) | — | AES-256-GCM per backup |
| Key Encryption | — | RSA-4096 envelope |
| SupaSafe Can Read Data | Yes (server-side access) | No (zero-knowledge) |
| Key Holder | Storage provider | Subscriber only |
4.5 Infrastructure Security
Our metadata database is hosted on Neon, which provides encryption at rest and in transit, automated security patches, and SOC 2 compliance. Backup storage on Backblaze B2 provides server-side AES-256 encryption, data centre physical security, and data durability designed to exceed 99.999999999% (eleven nines).
Authentication is handled through our authentication provider with industry-standard password hashing and session management. We regularly review and update our security measures.
5. Data Sharing and Third-Party Processors
We share your data only with third-party service providers who process data on our behalf to deliver the SupaSafe service. These include:
Neon (United States): Database hosting and authentication services (account metadata, not backup contents).
Backblaze, Inc. (United States): Secure storage of encrypted backup data.
Trigger.dev (United States): Backup job scheduling and execution.
Stripe, Inc. (United States): Payment processing (we do not store full payment card details; payment data is handled directly by Stripe in accordance with PCI DSS).
PostHog, Inc. (United States): Anonymous, privacy-focused product analytics to help us understand aggregate usage patterns and improve the service. PostHog is configured to collect only anonymised, non-personally-identifiable data; no individual user profiles are created.
All third-party processors are contractually bound to process your data only on our instructions and to maintain appropriate security measures. We conduct due diligence on our processors and ensure appropriate data processing agreements are in place.
Several of our processors are based in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms approved under UK data protection law.
6. Data Retention
We retain your data as follows:
Account data: For the duration of your active subscription, plus 30 days following cancellation or termination.
Backup data: In accordance with your subscription tier's backup retention schedule during active subscription. Following cancellation, backup data is retained for 30 days and then permanently deleted.
Usage and log data: Retained for up to 12 months for service improvement and security purposes.
Payment records: Retained for up to 7 years as required by UK tax and accounting regulations.
When data is deleted, it is permanently removed from our systems and storage providers. For zero-knowledge encrypted backups, deletion of the encrypted data renders it permanently irrecoverable regardless of private key possession.
7. Your Rights
Under UK data protection law, you have the following rights regarding your personal data:
Right of access: You may request a copy of the personal data we hold about you.
Right to rectification: You may request that we correct inaccurate or incomplete personal data.
Right to erasure: You may request that we delete your personal data, subject to any legal retention obligations.
Right to restriction: You may request that we restrict processing of your personal data in certain circumstances.
Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format.
Right to object: You may object to processing based on legitimate interests.
Rights related to automated decision-making: We do not make automated decisions that produce legal or similarly significant effects on you.
To exercise any of these rights, please contact us using the details provided at the end of this document. We will respond to your request within one month, as required by law. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies and Similar Technologies
SupaSafe uses strictly necessary cookies to maintain your authenticated session and remember your preferences. We do not use advertising or tracking cookies.
We use PostHog for anonymous product analytics to understand aggregate service usage patterns. PostHog is configured in a privacy-focused manner: it does not use cookies for tracking, does not collect personally identifiable information, and does not create individual user profiles. All analytics data is processed in aggregate form. As PostHog analytics does not process personal data or use tracking cookies, it operates under our legitimate interest in improving the service and does not require separate consent under PECR.
9. Children's Privacy
SupaSafe is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without appropriate consent, we will take steps to delete that information promptly.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Where we make material changes, we will notify you by email or by posting a prominent notice on the SupaSafe website at least 14 days before the changes take effect. Your continued use of the service after the effective date constitutes your acceptance of the updated policy.
11. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at:
Visatics Ltd. Company number: 15339210 Registered address: 51 Audley Park Road, Bath, UK. BA1 2XL Data Protection Contact: N. Grange Email: privacy@supasafe.co Website: supasafe.co
You also have the right to contact the Information Commissioner's Office (ICO) if you have concerns about how we handle your data: ico.org.uk