Smartsheet Privacy Notice
At Smartsheet, we understand that you need to know how data about you (i.e., personal data) is used. The Smartsheet Privacy Notice consists of this page and the specific notices below which describe how we collect, use, and share personal data and explain your related rights and choices. “We” (or “Us”) are Smartsheet Inc. (including any relevant affiliates) and “You” may be a visitor to one of our websites, including www.smartsheet.com (“Sites”) or a user of our online services and applications and any related downloadable software (“Offerings”).
Who We Are
Smartsheet Inc. is headquartered in Washington state, with various other offices in the United States. You can learn about us and our Offerings here.
Smartsheet Inc. may share personal data with our affiliated companies, including but not limited to Smartsheet UK Limited, Smartsheet Australia Pty Limited, and Brandfolder, Inc. (a full list is available here) for our or our affiliates’ internal business purposes (e.g., when you use or purchase an affiliate’s services, when you apply to one of our global offices, etc.), marketing similar products, or for other legal requirements. A reference to "Smartsheet," "we," or "us" is a reference to Smartsheet Inc. and the relevant affiliate involved in the processing activity.
Marketing Communications. You can modify how we may contact you through email for marketing or promotional purposes at any time. This includes the choice to opt out of receiving emails from us for marketing or promotional purposes altogether. To modify how we may contact you through email, follow the instructions provided in the marketing emails we send, or click here. Additional marketing or promotional preferences can be updated through our preference centers linked below. You may also set your marketing communications preferences in the Offerings personal settings. Please see this Help Article for additional information.
Custom Audiences. If you would prefer we do not include you in third party custom audiences, submit this form. Additional information relating to our use of custom audiences can be found in our Cookie Notice.
Cookies. Please visit our Cookie Notice to learn about and exercise your choices relating to cookies.
You may have certain rights relating to your personal data under local data protection laws (e.g., the General Data Protection Regulation, the California Consumer Privacy Act, etc.) or based on your use of our Offerings. Such rights may include:
Access. You can ask us to confirm if we are processing your personal data, provide you with details about such processing, and give you a copy of your personal data.
Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Objection. You can object in writing to any processing of your personal data, which is done on the basis of our “legitimate interests,” if you believe your fundamental rights and freedoms outweigh our legitimate interests. If you object in writing to our processing of your personal data, we shall then have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. We will then cease the processing of your personal data for direct marketing purposes.
Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
Rectification. You can ask us to update or correct certain information; we may verify the accuracy of the data before rectifying it. For certain information you may be able to update or correct information by updating your personal setting within the Offerings.
Restriction. You can ask us to restrict (i.e., keep but not use) your personal data, but only where: its accuracy is contested (see "Rectification" above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; or you have exercised the right to object, and verification of any overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent to establish, exercise, or defend legal claims, or to protect the rights of another.
Withdrawal of Consent. You can withdraw your consent where processing is based on a consent you have previously provided. Your withdrawal of consent will not affect the lawfulness of the processing done prior to your withdrawal of consent taking effect. If you have questions about how to withdraw a consent you had provided, please complete this form.
Exercise of Rights. To exercise your rights, please contact us using this form or using the contact details provided under the "How to Contact Us/Dispute Resolution" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Offerings to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Offerings; or suggest you may receive such different treatment. We will process any requests in accordance with applicable laws within a reasonable period of time. In order to properly process a request we may need to verify your identity before taking any request-related actions.
Personal Data Retention
We keep your personal data for as long as reasonably necessary for the purposes set out in our notices (see "How We Use Personal Data" in the applicable notice) or, if applicable, in accordance with the relevant terms in an agreement between you and Smartsheet. We will keep your personal data longer if required for tax or accounting purposes, to ensure we would be able to defend or raise a claim, to resolve disputes, enforce our contractual rights, or where we have a legitimate need - though we will generally not keep personal data for longer than seven years following the last date of communication with you. Where personal data is no longer required, we anonymize or dispose of it in a secure manner.
How We Protect Personal Data
We are committed to implementing and maintaining reasonable and appropriate technical, physical, and administrative safeguards to protect your personal data. However, no company, including Smartsheet, can guarantee the absolute security of Internet communications. For more information, please see our Trust webpage.
Children's Personal Data
Our Sites are not directed toward children under 18 and we do not knowingly collect personal data from minors. If you are under 18, please do not use the Sites or Offerings or share personal data with us. If you learn that anyone younger than 18 has unlawfully provided us personal data, please contact us.
International Transfers and Privacy Shield Notice
Smartsheet’s primary processing activities are in the United States, as detailed at https://www.smartsheet.com/data-access-and-transfers. Personal data we collect may be transferred to, used, and stored in the United States or other jurisdictions in which Smartsheet, our affiliates, or service providers are located; these locations (including the United States) may not guarantee the same level of protection of personal data as the one in which you live. By providing us with your personal data, you agree to such transfer and/or processing. Smartsheet assesses the circumstances involving all cross-border data transfers and has suitable safeguards in place to require that your personal data will remain protected in accordance with this notice. In the event of such a transfer, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as the applicable standard contractual clauses.
Notwithstanding the judgment by the Court of Justice of the European Union (C-311/18, often referred to as Schrems II), Smartsheet and its affiliates continue to participate in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”). We are committed to complying with the Privacy Shield Principles with respect to personal data transferred to the United States from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. Smartsheet’s commitments under the Privacy Shield Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements (please see our Trust Center for additional information). Smartsheet is and will remain liable for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf (see "How We Share Personal Data" in the applicable notice). We comply with the Privacy Shield Principles for all onward transfers of personal information from the EEA, including the onward transfer liability provisions. If there is a conflict between the terms of this notice and the Privacy Shield Principles, the Privacy Shield Principles will govern.
In addition, Smartsheet has implemented intercompany agreements for transfers of personal data between our affiliated companies, which require all of our affiliates to protect personal data they process in accordance with applicable data protection law. We have implemented similar appropriate safeguards where legally required with our third party service providers and partners; please see our subprocessors list available at https://www.smartsheet.com/legal/subprocessors for additional details.
Changes to This Notice
We may amend, update, or revise this notice from time to time to reflect changes to our privacy practices, changing technologies, industry practices, regulatory requirements, or for other reasons. If we make any material changes that affect the way we treat your data, we will notify you by email, through the Sites or Offerings, or by other legally acceptable means. We encourage you to periodically review this notice for the latest information on our privacy practices.
How to Contact Us
You have the right to complain to a data protection authority about our collection and use of your personal data, but we encourage you to reach out to us first. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. The best way to reach us is by filling out this form. Smartsheet’s Privacy Counsel serves as Smartsheet’s data protection contact and can be reached at:
Webform: Contact privacy form
Address: Attn: Legal - Privacy Office, 10500 NE 8th Street, Suite 1300, Bellevue WA 98004
Residents of the EEA and UK. The controller of your personal data is Smartsheet Inc. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. You may contact us using this form or by reaching out to our Data Protection Officer ("DPO") at:
Complaints or Questions About Smartsheet’s Privacy Shield Certifications. If you have any questions or complaints regarding our Privacy Shield Certification, please complete this form or email firstname.lastname@example.org. We will respond within 45 days of receiving your complaint and will promptly investigate and attempt to resolve it. If you reside in the EEA and your complaint cannot be resolved through this process, we will participate in the dispute resolution process administered by JAMS. For information about how to initiate a Privacy Shield claim with JAMS, please contact JAMS directly. Under certain conditions (described on the Privacy Shield website), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
English Version Controls
Unless prohibited by local laws, non-English translations of this notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version is authoritative and controls.
Last Updated: February 24, 2022