Smartsheet is aware of the publication of the updated Standard Contractual Clauses by the European Commission. We are currently reviewing and will be making updates to our Data Processing Addendum soon.

Multipart article

Smartsheet Privacy Notice

Last Updated: May 28, 2021


At Smartsheet, we understand that you need to know how data about you (i.e., personal data) is used. The Smartsheet Privacy Notice includes this page and the specific notices below which describe how we collect, use, and share personal data and explain your related rights and choices. “We” (or “Us”) are Smartsheet Inc. (including any relevant affiliates) and “You” may be a visitor to one of our websites, including www.smartsheet.com (“Sites”) or a user of our online services and applications and any related downloadable software (“Offerings”).


Specific Notices

Together with the information on this page, the following notices describe our use of your personal data based on how we interact with you:

General Privacy Notice

General Privacy Notice. When we interact with you outside the Offerings (e.g., on our Sites, social media properties, through pre-contractual activities, during events, through surveys, or other non-Offerings features).


Offerings Privacy Notice

Offerings Privacy Notice. When you sign up for or use Offerings which we provide to you or, if you are an organizational user, to our customer with whom you have a relationship (e.g., employer/employee).


Cookie Notice

Cookie Notice. When data is collected automatically from your device or web browser by way of cookies and other tracking technologies.


Candidate Privacy Notice

Candidate Privacy Notice. When you apply for a job with Smartsheet or one of our affiliated companies, whether through one of our Sites or through a third party service.


Who We Are

Smartsheet Inc. is headquartered in Washington state, with various other offices in the United States. You can learn about us and our Offerings here.

Smartsheet Inc. may share personal data with our affiliated companies, including but not limited to Smartsheet UK Limited, Smartsheet Australia Pty Limited, and Brandfolder, Inc. (a full list is available here) for our or our affiliates’ internal business purposes (e.g., when you use or purchase an affiliate’s services, when you apply to one of our global offices, etc.), marketing similar products, or for other legal requirements. A reference to "Smartsheet," "we," or "us" is a reference to Smartsheet Inc. and the relevant affiliate involved in the processing activity. 


Your Choices

Marketing Communications. You can modify how we may contact you through email for marketing or promotional purposes at any time. This includes the choice to opt out of receiving emails from us for marketing or promotional purposes altogether. To modify how we may contact you through email, follow the instructions provided in the marketing emails we send, or click here. Additional marketing or promotional preferences can be updated through the Offerings personal settings. Please see this Help Article for additional information. 

Custom Audiences. If you would prefer we do not include you in third party custom audiences, submit this form. Additional information relating to our use of custom audiences can be found in our Cookie Notice

Cookies. Please visit our Cookie Notice to learn about and exercise your choices relating to cookies.


Your Rights

You may have certain rights relating to your personal data under local data protection laws (e.g., the General Data Protection Regulation, the California Consumer Privacy Act, etc.) or based on your use of our Offerings. Such rights may include:

Access

You can ask us to confirm if we are processing your personal data, provide you with details about such processing, and give you a copy of your personal data.


Erasure

You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.


Objection

You can object in writing to any processing of your personal data, which is done on the basis of our “legitimate interests,” if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you object in writing to our processing of your personal data, we shall then have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. We will then cease the processing of your personal data for direct marketing purposes.


Portability

You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.


Rectification

You can ask us to update or correct certain information; we may verify the accuracy of the data before rectifying it. For certain information you may be able to update or correct information by updating your personal setting within the Offerings.


Restriction

You can ask us to restrict (i.e., keep but not use) your personal data, but only where: its accuracy is contested (see "Rectification" above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; or you have exercised the right to object, and verification of any overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent to establish, exercise, or defend legal claims, or to protect the rights of another.


Withdrawal of Consent

You can withdraw your consent where processing is based on a consent you have previously provided.  Your withdrawal of consent will not affect the lawfulness of the processing done prior to your withdrawal of consent taking effect.  If you have questions about how to withdraw a consent you had provided, please complete this form.


Exercise of Rights

To exercise your rights, please contact us using this form or using the contact details provided under the "How to Contact Us/Dispute Resolution" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Offerings to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Offerings; or suggest you may receive such different treatment.  We will process any requests in accordance with applicable laws within a reasonable period of time.  In order to properly process a request we may need to verify your identity before taking any request-related actions.


Personal Data Retention

We keep your personal data for as long as reasonably necessary for the purposes set out in our notices (see "How We Use Personal Data" in the applicable notice) or, if applicable, in accordance with the relevant terms in an agreement between you and Smartsheet. We will keep your personal data longer if required for tax or accounting purposes, to ensure we would be able to defend or raise a claim, to resolve disputes, enforce our contractual rights, or where we have a legitimate need - though we will generally not keep personal data for longer than seven years following the last date of communication with you. Where personal data is no longer required, we anonymize or dispose of it in a secure manner. 


How We Protect Personal Data

We are committed  to implementing and maintaining reasonable and appropriate technical, physical, and administrative safeguards to protect your personal data. However, no company, including Smartsheet, can guarantee the absolute security of Internet communications. For more information, please see our Trust webpage.


Children's Personal Data

Our Sites are not directed toward children under 18 and we do not knowingly collect personal data from minors. If you are under 18, please do not use the Sites or Offerings or share personal data with us. If you learn that anyone younger than 18 has unlawfully provided us personal data, please contact us.


International Transfers and Privacy Shield Notice

Personal data we collect may be transferred to, used, and stored in the United States or other jurisdictions in which Smartsheet, our affiliates, or service providers are located; these locations (including the United States) may not guarantee the same level of protection of personal data as the one in which you live.  By providing us with your personal data, you agree to such transfer and/or processing.  Smartsheet assesses the circumstances involving all cross-border data transfers and has suitable safeguards in place to require that your personal data will remain protected in accordance with this notice. In the event of such a transfer, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as the standard contractual clauses, as applicable either controller to controller (2004/915/EC) or controller to processor (2010/87/EC), adopted by the European Commission.

 
Smartsheet is closely monitoring developments and guidance from regulatory authorities in both Europe (including the United Kingdom) and the United States and will update this Privacy Notice as needed. If you wish to enquire further about the safeguards used, please contact us using the details set out in the “How to Contact Us” section below.  


Notwithstanding the recent judgment by the Court of the European Union (C-311/18, often referred to as Schrems II), Smartsheet (and its affiliates: Artefact Product Group LLC dba 10,000ft and TernPro, Inc. dba Slope) continues to participate in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”). We are committed to complying with the Privacy Shield Principles with respect to personal data transferred to the United States from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. Smartsheet’s commitments under the Privacy Shield Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Smartsheet is and will remain liable for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf (see "How We Share Personal Data" in the applicable notice). We comply with the Privacy Shield Principles for all onward transfers of personal information from the EEA, including the onward transfer liability provisions. If there is a conflict between the terms of this notice and the Privacy Shield Principles, the Privacy Shield Principles will govern.


In addition, Smartsheet has implemented the European Commission’s Standard Contractual Clauses for transfers of personal data between our affiliated companies, which require all of our affiliates to protect personal data they process from the EEA in accordance with European Union data protection law. We have implemented similar appropriate safeguards where legally required with our third party service providers and partners; details can be provided upon request. 


Changes to This Notice

We may amend, update, or revise this notice from time to time to reflect changes to our privacy practices, changing technologies, industry practices, regulatory requirements, or for other reasons. If we make any material changes that affect the way we treat your data, we will notify you by email, through the Sites or Offerings, or by other legally acceptable means. We encourage you to periodically review this notice for the latest information on our privacy practices.


How to Contact Us

You have the right to complain to a data protection authority about our collection and use of your personal data, but we encourage you to reach out to us first. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. The best way to reach us is by filling out this form. Smartsheet’s Privacy Counsel serves as Smartsheet’s data protection contact and can be reached at:

Webform: Contact privacy form

Email: privacy@smartsheet.com

Address: Attn: Legal - Privacy Office, 10500 NE 8th Street, Suite 1300, Bellevue WA 98004

 

Residents of the EEA. The controller of your personal data is Smartsheet Inc. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. You may contact our EU Representative, EU Business Partners, at:

Webform: Contact privacy form

Email: info@eubusinesspartners.com

Address: Attn: Smartsheet Legal ℅ EU Business Partners, 10 Ashe Street, Clonakilty, County Cork, P85 E403, Ireland

Name and Position of the Natural Person: Flor McCarthy, Director

 

Complaints or Questions About Smartsheet’s Privacy Shield Certifications. If you have any questions or complaints regarding our Privacy Shield Certification, please complete this form or email privacy@smartsheet.com. We will respond within 45 days of receiving your complaint and will promptly investigate and attempt to resolve it. If you reside in the EEA and your complaint cannot be resolved through this process, we will participate in the dispute resolution process administered by JAMS. For information about how to initiate a Privacy Shield claim with JAMS, please contact JAMS directly. Under certain conditions (described on the Privacy Shield website), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.


English Version Controls

Unless prohibited by local laws, non-English translations of this notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version is authoritative and controls.


Archived versions

These are the legacy versions of Smartsheet Privacy Notice and are provided for informational purposes only.