Smartsheet Privacy Notice
Last Updated: May 29, 2020
At Smartsheet, we understand that you need to know how data about you (i.e., personal data) is used. The Smartsheet Privacy Notice consists of this page and the specific notices below which describe how we collect, use, and share personal data and explain your related rights and choices. “We” (or “Us”) are Smartsheet Inc. (including any relevant affiliates) and “You” may be a visitor to one of our websites, including www.smartsheet.com (“Sites”) or a user of our online services and applications and any related downloadable software (“Offerings”).
Together with the information on this page, the following notices describe our use of your personal data based on how we interact with you:
General Privacy Notice. When we interact with you outside the Offerings (e.g., on our Sites, social media properties, through pre-contractual activities, during events, through surveys, or other non-Offerings features).
Offerings Privacy Notice. When you sign up for or use Offerings which we provide to you or, if you are an organizational user, to our customer with whom you have a relationship (e.g., employer/employee).
Cookie Notice. When data is collected automatically from your device by way of cookies and other tracking technologies.
Candidate Privacy Notice. When you apply for a job with Smartsheet or one of our affiliated companies, whether through one of our Sites or through a third party service.
Who We Are
Smartsheet Inc. is headquartered in Washington state, with various other offices in the United States. You can learn about us and our Offerings here.
Smartsheet Inc. may share personal data with our affiliated companies (listed here) for our or our affiliates’ internal business purposes (e.g., when you use or purchase an affiliate’s services, when you apply to one of our global offices, etc.), marketing similar products, or for other legal requirements. A reference to "Smartsheet," "we," or "us" is a reference to Smartsheet Inc. and the relevant affiliate involved in the processing activity.
Marketing Communications. You can modify how we may contact you through email for marketing or promotional purposes at any time. This includes the choice to opt out of receiving emails from us for marketing or promotional purposes altogether. To modify how we may contact you through email, follow the instructions provided in the marketing emails we send, or click here. Additional marketing or promotional preferences can be updated through the Offerings personal settings. Please see this Help Article for additional information.
Custom Audiences. If you would prefer we do not include you in third party custom audiences, submit this form. Additional information relating to our use of custom audiences can be found in our Cookie Notice.
Cookies. Please visit our Cookie Notice to learn about and exercise your choices relating to cookies.
You may have certain rights relating to your personal data under local data protection laws (e.g., the General Data Protection Regulation, the California Consumer Privacy Act, etc.) or based on your use of our Offerings. Such rights may include:
Access. You can ask us to confirm if we are processing your personal data, provide you with details about such processing, and give you a copy of your personal data.
Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Objection. You can object in writing to any processing of your personal data, which is done on the basis of our “legitimate interests,” if you believe your fundamental rights and freedoms outweigh our legitimate interests.If you object in writing to our processing of your personal data, we shall then have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. We will then cease the processing of your personal data for direct marketing purposes.
Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
Rectification. You can ask us to update or correct certain information; we may verify the accuracy of the data before rectifying it. For certain information you may be able to update or correct information by updating your personal setting within the Offerings.
Restriction. You can ask us to restrict (i.e., keep but not use) your personal data, but only where: its accuracy is contested (see "Rectification" above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; or you have exercised the right to object, and verification of any overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent to establish, exercise, or defend legal claims, or to protect the rights of another.
Withdrawal of Consent. You can withdraw your consent where processing is based on a consent you have previously provided. Your withdrawal of consent will not affect the lawfulness of the processing done prior to your withdrawal of consent taking effect. If you have questions about how to withdraw a consent you had provided, please complete this form.
Exercise of Rights. To exercise your rights, please contact us using this form or using the contact details provided under the "How to Contact Us/Dispute Resolution" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Offerings to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Offerings; or suggest you may receive such different treatment. We will process any requests in accordance with applicable laws within a reasonable period of time. In order to properly process a request we may need to verify your identity before taking any request-related actions.
Personal Data Retention
We keep your personal data for as long as reasonably necessary for the purposes set out in our notices (see "How We Use Personal Data" in the applicable notice) or, if applicable, in accordance with the relevant terms in an agreement between you and Smartsheet. We will keep your personal data longer if required for tax or accounting purposes, to ensure we would be able to defend or raise a claim, to resolve disputes, enforce our contractual rights, or where we have a legitimate need - though we will generally not keep personal data for longer than seven years following the last date of communication with you. Where personal data is no longer required, we anonymize or dispose of it in a secure manner.
How We Protect Personal Data
We are committed to implementing and maintaining reasonable and appropriate technical, physical, and administrative safeguards to protect your personal data. However, no company, including Smartsheet, can guarantee the absolute security of Internet communications. For more information, please see our Trust webpage.
Children's Personal Data
Our Sites are not directed toward children under 18 and we do not knowingly collect personal data from minors. If you are under 18, please do not use the Sites or Offerings or share personal data with us. If you learn that anyone younger than 18 has unlawfully provided us personal data, please contact us.
International Transfers and Privacy Shield Notice
Personal data we collect may be transferred to, used, and stored in the United States or other jurisdictions in which Smartsheet, our affiliates, or service providers are located; these locations (including the United States) may not guarantee the same level of protection of personal data as the one in which you live. By providing us with your personal data, you agree to such transfer and/or processing. Smartsheet assesses the circumstances involving all cross-border data transfers and has suitable safeguards in place to require that your personal data will remain protected in accordance with this notice.
Smartsheet (and its affiliates: Artefact Product Group LLC dba 10,000ft and TernPro, Inc. dba Slope) participates in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”). We will comply with the Privacy Shield Principles with respect to personal data transferred to the United States from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. Smartsheet’s commitments under the Privacy Shield Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Smartsheet is and will remain liable for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf (see "How We Share Personal Data" in the applicable notice). We comply with the Privacy Shield Principles for all onward transfers of personal information from the EEA, including the onward transfer liability provisions. If there is a conflict between the terms of this notice and the Privacy Shield Principles, the Privacy Shield Principles will govern.
In addition, Smartsheet has implemented the European Commission’s Standard Contractual Clauses for transfers of personal data between our affiliated companies, which require all of our affiliates to protect personal data they process from the EEA in accordance with European Union data protection law. We have implemented similar appropriate safeguards where legally required with our third party service providers and partners; details can be provided upon request.
Changes to This Notice
We may amend, update, or revise this notice from time to time to reflect changes to our privacy practices, changing technologies, industry practices, regulatory requirements, or for other reasons. If we make any material changes that affect the way we treat your data, we will notify you by email, through the Sites or Offerings, or by other legally acceptable means. We encourage you to periodically review this notice for the latest information on our privacy practices.
How to Contact Us
You have the right to complain to a data protection authority about our collection and use of your personal data, but we encourage you to reach out to us first. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. The best way to reach us is by filling out this form. Smartsheet’s Privacy Counsel serves as Smartsheet’s data protection contact and can be reached at:
Webform: Contact privacy form
Address: Attn: Legal - Privacy Office, 10500 NE 8th Street, Suite 1300, Bellevue WA 98004
Residents of the EEA. The controller of your personal data is Smartsheet Inc. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. You may contact our EU Representative, Smartsheet UK Ltd, at:
Webform: Contact privacy form
Address: Attn: Smartsheet Legal, Clarendon House, 116 George St, Edinburgh EH2 4LH, United Kingdom
Complaints or Questions About Smartsheet’s Privacy Shield Certifications. If you have any questions or complaints regarding our Privacy Shield Certification, please complete this form or email firstname.lastname@example.org. We will respond within 45 days of receiving your complaint and will promptly investigate and attempt to resolve it. If you reside in the EEA and your complaint cannot be resolved through this process, we will participate in the dispute resolution process administered by JAMS. For information about how to initiate a Privacy Shield claim with JAMS, please contact JAMS directly. Under certain conditions (described on the Privacy Shield website), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
English Version Controls
Unless prohibited by local laws, non-English translations of this notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version is authoritative and controls.