Smartsheet Privacy Notice

Who We Are

Smartsheet Inc. is headquartered in Washington state, with various other offices in the United States. You can learn about us and our Offerings here.

Smartsheet Inc. shares personal data with our affiliated companies, including, but not limited to, Smartsheet UK Limited, Smartsheet Australia Pty Limited, and Brandfolder, Inc. (a full list of Smartsheet’s affiliates is available here), for our or our affiliates’ internal business purposes (e.g., when you use or purchase an affiliate’s services, when you apply to one of our global offices, etc.), marketing similar products, or for other legal requirements. A reference to "Smartsheet," "we," or "us" is a reference to Smartsheet Inc. and the relevant affiliate involved in the processing activity. 

Your Marketing Choices

Marketing Communications. You can modify how we contact you through email for marketing or promotional purposes at any time. This includes the choice to opt out of receiving emails from us for marketing or promotional purposes altogether. To modify how we contact you through email, follow the instructions provided in the footer of the marketing emails we send, or update your preferences through our preference centers linked below. You can also set your marketing communications preferences in the Offerings personal settings. Please see this Help Article for additional information.

Smartsheet Preference Center

Brandfolder Preference Center 

Custom Audiences. If you would prefer we do not include you in third party Custom Audiences, submit this form. Additional information relating to our use of Custom Audiences can be found in our Cookie Notice. 

Cookies. Please visit our Cookie Notice to learn about and exercise your choices relating to cookies.

Your Rights

You have certain rights relating to your personal data under applicable data protection laws (e.g., the General Data Protection Regulation, the California Consumer Privacy Act, etc.) or based on your use of our Offerings. Such rights include:

Access. You can ask us to confirm if we are processing your personal data, provide you with details about such processing, and give you a copy of your personal data.

Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. 

Objection. You can object in writing to any processing of your personal data, which is done on the basis of our “legitimate interests,” if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you object in writing to our processing of your personal data, we shall then have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. We will then cease the processing of your personal data for direct marketing purposes.

Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.

Rectification. You can ask us to update or correct certain information; we may verify the accuracy of the data before rectifying it.  For certain information you may be able to update or correct information by updating your personal setting within the Offerings. 

Restriction. You can ask us to restrict (i.e., keep but not use) your personal data, but only where: its accuracy is contested (see "Rectification" above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; or you have exercised the right to object, and verification of any overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent to establish, exercise, or defend legal claims, or to protect the rights of another.

Withdrawal of Consent. You can withdraw your consent where processing is based on a consent you have previously provided.  Your withdrawal of consent will not affect the lawfulness of the processing done prior to your withdrawal of consent taking effect.  If you have questions about how to withdraw a consent you had provided, please complete this form. 

Exercise of Rights. To exercise your rights, please contact us using this form or using the contact details provided under the "How to Contact Us" section below. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Offerings to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Offerings; or suggest you may receive such different treatment.  We will process any requests in accordance with applicable laws within a reasonable period of time.  In order to properly process a request we may need to verify your identity before taking any request-related actions. If needed, we will contact you via email with reasonable instructions to verify your identity before processing your request. You can appeal any decisions made regarding your rights.

Personal Data Retention

We keep your personal data for as long as reasonably necessary for the purposes set out in our notices (see "How We Use Personal Data" in the applicable notice) or, if applicable, in accordance with the relevant terms in an agreement between you and Smartsheet. We will keep your personal data longer if required for tax or accounting purposes, to ensure we would be able to defend or raise a claim, to resolve disputes, to enforce our contractual rights, or where we have a legitimate need - though we will generally not keep personal data for longer than seven years following the last date of communication with you. Where personal data is no longer required, we anonymize or dispose of it in a secure manner. 

How We Protect Personal Data

We are committed to implementing and maintaining reasonable and appropriate technical, physical, and administrative safeguards to protect your personal data. However, no company, including Smartsheet, can guarantee the absolute security of Internet communications. For more information on our practices, please see our Trust Center webpages.

Children's Personal Data

Our Sites are not directed toward children under 18 and we do not knowingly collect personal data from minors. If you are under 18, please do not use the Sites or Offerings or share personal data with us. If you learn that anyone younger than 18 has unlawfully provided us personal data, please contact us. See also our Acceptable Use Policy. 

International Transfers

Smartsheet’s primary processing activities are in the United States, as detailed at https://www.smartsheet.com/data-access-and-transfers. Personal data we collect will be transferred to, used, and stored in the United States or other jurisdictions in which Smartsheet, our affiliates, or service providers are located; these locations (including the United States) may not guarantee the same level of protection of personal data as the one in which you live.  By providing us with your personal data, you agree to such transfer and/or processing. Smartsheet assesses the circumstances involving all cross-border data transfers and has suitable safeguards in place to require that your personal data will remain protected in accordance with this notice. In the event of such a transfer, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as the applicable standard contractual clauses.

Data Transfer Mechanism for EU and UK Personal Data

Smartsheet relies on the EU Standard Contractual Clauses alongside the United Kingdom International Data Transfer Addendum (collectively, the “SCCs”) as its appropriate data transfer mechanism for EU and UK personal data. Where applicable, the SCCs are incorporated as part of Smartsheet’s standard DPA as detailed below.

Notwithstanding the judgment by the Court of Justice of the European Union (C-311/18, often referred to as Schrems II), Smartsheet and its affiliates continue to voluntarily participate in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”). We are committed to complying with the Privacy Shield Principles with respect to personal data transferred to the United States from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. Smartsheet’s commitments under the Privacy Shield Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements (please see our Trust Center for additional information). Smartsheet is and will remain liable for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf (see "How We Share Personal Data" in the applicable notice). We comply with the Privacy Shield Principles for all onward transfers of personal data from the EEA, including the onward transfer liability provisions. If there is a conflict between the terms of this notice and the Privacy Shield Principles, the Privacy Shield Principles will govern.

In addition, Smartsheet has implemented intercompany agreements for transfers of personal data between our affiliated companies, which require all of our affiliates to protect personal data they process in accordance with applicable data protection law. We have implemented similar appropriate safeguards where legally required with our third party service providers and partners; please see our subprocessors list available at https://www.smartsheet.com/legal/subprocessors for additional details. 

California Privacy Rights

For individuals and households in California, this section provides more information about personal information we have collected, or may collect, about you and your rights available to you under the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”). For details about the data we have collected over the last 12 months and data we may collect in the future, including their sources, please see “Personal Data We Collect” in our General Privacy Notice, with additional detail outlined in our General Privacy Notice Table. If you are a user of our Offerings, this information is also available in “Personal Data We Collect” in our Offerings Privacy Notice, and in the Offerings Privacy Notice Table. Our Cookie Notice explains how we have, and may continue to use, cookies, pixels, and similar tracking technologies to gather information about your use of, and automated interactions with, the Sites and Offerings, and your rights to control our use of them.

We collect personal data for business purposes described in our General Privacy Notice and our Offerings Privacy Notice under the sections “How We Use Personal Data.” 

We will only share or disclose your data as described in our General Privacy Notice and our Offerings Privacy Notice under the sections “How We Share Personal Data.”

We do not collect Sensitive Personal Data. Sensitive Personal Data defined under the CCPA includes social security numbers, driver’s license numbers, state identification cards, passport numbers, your precise geo-location, racial or ethnic origins, religious or philosophical beliefs, union memberships, the contents of your mail and email (unless Smartsheet is the intended recipient of that content), or genetic data. We do not collect account log-ins, financial information, debit or credit card numbers in combination with your security codes or passwords. If we had any reason to collect Sensitive Personal Data, we would do so according to your rights and choices as described in the section "Your Rights" above, and with a clearly defined business purpose.

Subject to certain limitations, the CCPA provides you a number of rights, specifically:

• Your right to request more details about the categories or specific pieces of personal data we collect (including how we use and disclose this information);
• Your right to delete your personal data;
• Your right to opt out of any “sales” that may be occurring; and
• Your right to not be discriminated against for exercising these rights.

These rights do not remove any rights you have as described in the section "Your Rights" above. You may exercise these rights by contacting us as described in the section "How to Contact Us" below. You may also designate an authorized agent to exercise these rights on your behalf. We may request additional information to verify your identity. 

Changes to This Notice

We may amend, update, or revise this notice from time to time to reflect changes to our privacy practices, changing technologies, industry practices, regulatory requirements, or for other reasons. If we make any material changes that affect the way we treat your data, we will notify you by email, through the Sites or Offerings, or by other legally acceptable means. We encourage you to periodically review this notice for the latest information on our privacy practices.

How to Contact Us

You have the right to complain to a data protection authority about our collection and use of your personal data, but we encourage you to reach out to us first. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. The best way to reach us is by filling out this form. Smartsheet’s Privacy Director serves as Smartsheet’s data protection contact and can be reached at:

Webform: Contact privacy form

Email: privacy@smartsheet.com

Address: Attn: Legal - Privacy Office, 500 108th Ave NE, Suite 200, Bellevue WA 98004

Residents of the EEA and UK. The controller of your personal data is Smartsheet Inc. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. You may contact us using this form or by reaching out to our Data Protection Officer ("DPO") at:

Email: dpo@smartsheet.com

Complaints or Questions About Smartsheet’s Privacy Shield Certifications. If you have any questions or complaints regarding our Privacy Shield Certification, please complete this form or email privacy@smartsheet.com. We will respond within 45 days of receiving your complaint and will promptly investigate and attempt to resolve it. If you reside in the EEA and your complaint cannot be resolved through this process, we will participate in the dispute resolution process administered by JAMS. For information about how to initiate a Privacy Shield claim with JAMS, please contact JAMS directly. Under certain conditions (described on the Privacy Shield website), you may invoke binding arbitration when other dispute resolution procedures have been exhausted

English Version Controls

Unless prohibited by local laws, non-English translations of this notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version is authoritative and controls.

Last Updated: July 5, 2023