home / skills / jeremylongshore / claude-code-plugins-plus-skills / supabase-data-handling

supabase-data-handling skill

needs review

/plugins/saas-packs/supabase-pack/skills/supabase-data-handling

This skill guides you to implement Supabase data handling for PII, retention, and GDPR/CCPA compliance, with secure redaction and audits.

npx playbooks add skill jeremylongshore/claude-code-plugins-plus-skills --skill supabase-data-handling

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

1.8 KB

---
name: supabase-data-handling
description: |
  Implement Supabase PII handling, data retention, and GDPR/CCPA compliance patterns.
  Use when handling sensitive data, implementing data redaction, configuring retention policies,
  or ensuring compliance with privacy regulations for Supabase integrations.
  Trigger with phrases like "supabase data", "supabase PII",
  "supabase GDPR", "supabase data retention", "supabase privacy", "supabase CCPA".
allowed-tools: Read, Write, Edit
version: 1.0.0
license: MIT
author: Jeremy Longshore <[email protected]>
---

# Supabase Data Handling

## Overview
Handle sensitive data correctly when integrating with Supabase.

## Prerequisites
- Understanding of GDPR/CCPA requirements
- Supabase SDK with data export capabilities
- Database for audit logging
- Scheduled job infrastructure for cleanup

## Data Classification

| Category | Examples | Handling |
|----------|----------|----------|
| PII | Email, name, phone | Encrypt, minimize |
| Sensitive | API keys, tokens | Never log, rotate |
| Business | Usage metrics | Aggregate when possible |
| Public | Product names | Standard handling |

## PII Detection

```typescript
const PII_PATTERNS = [
  { type: 'email', regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g },
  { type: 'phone', regex: /\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g },
  { type: 'ssn', regex: /\b\d{3}-\d{2}-\d{4}\b/g },
  { type: 'credit_card', regex: /\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/g },
];

function detectPII(text: string): { type: string; match: string }[] {
  const findings: { type: string; match: string }[] = [];

  for (const pattern of PII_PATTERNS) {
    const matches = text.matchAll(pattern.regex);
    for (const match of matches) {

## Detailed Reference

See `{baseDir}/references/implementation.md` for complete data handling guide.

Overview

This skill implements Supabase data handling patterns focused on PII detection, retention, and privacy compliance for GDPR and CCPA. It provides practical rules for classifying data, redacting or encrypting sensitive fields, and configuring retention/cleanup jobs. The goal is to reduce risk when syncing and querying user data in Supabase-powered apps.

How this skill works

The skill inspects incoming and stored data using pattern-based PII detectors (emails, phones, SSNs, credit cards) and classifies records into PII, sensitive, business, or public categories. It provides guidance for encrypting or redacting fields, avoiding logs of secrets, and wiring Supabase export hooks into audit logging and scheduled retention jobs. It also outlines policy points to map retention windows and automated deletion or aggregation flows for compliance.

When to use it

When integrating user data flows with Supabase (auth, profiles, logs).
When you must enforce GDPR/CCPA retention or right-to-be-forgotten requests.
When exporting Supabase data to analytics, third parties, or backups.
When implementing server-side redaction or encryption before storing data.
When designing audit logs and access controls for Supabase tables.

Best practices

Classify data into PII, sensitive, business, and public, and apply the strictest handling for the highest-risk category.
Detect PII early (ingest-time) and either redact, encrypt, or tokenise before storage or downstream export.
Never log secrets (API keys, tokens); rotate credentials and store them in a secrets manager.
Implement retention policies as scheduled jobs that mark then purge expired records, keeping immutable minimal audit pointers if required.
Record access and deletion operations in an auditable store separate from primary data; ensure exports are filtered for PII.

Example use cases

Redact email and phone fields on profile exports sent to analytics while preserving anonymised usage metrics.
Automate deletion of user data 30 days after account closure to meet company retention policy and document the deletion in an audit table.
Detect and block uploads containing SSNs or credit card numbers, returning a validation error and logging an incident.
Encrypt high-risk columns (tokens, social security numbers) at rest and decrypt only in secure server-side functions.
Implement a GDPR 'right to be forgotten' endpoint that triggers cascade deletion or redaction across Supabase tables and associated backups.

FAQ

Does this require changes to Supabase itself?

No. It uses application-level patterns: SDK hooks, server-side functions, scheduled jobs, and encryption libraries without modifying Supabase internals.

How should I handle backups for retention compliance?

Encrypt backups, document retention windows, and include purge procedures that remove backups containing deleted personal data within your retention timeframe.