Smartsheet Privacy Notice

 

Last Updated: May 17, 2019

At Smartsheet, we understand that you need to know how data about you (i.e., personal data) is used. The Smartsheet Privacy Notice is comprised of this page and the notices below which describe how we collect, use, and share personal data and explain your related rights and choices. ‘We’ are Smartsheet Inc. ‘You’ may be a visitor to one of our websites including www.smartsheet.com (‘Sites’) or a user of our internet-delivered work collaboration services and applications, including our mobile applications, or any of our services available through the Sites (‘Services’).

Specific Notices

Who We Are

Your Choices

Your Rights

Personal Data Retention

How We Protect Personal Data

Children

International Transfers and Privacy Shield Notice

Changes to this Notice

How to Contact Us

English Version Controls


 

Specific Notices

Together with the information on this page, the following notices describe our use of your personal data based on how we interact with you:

General Privacy Notice. When we interact with you outside the Services (e.g., on our Sites, during events, or through surveys).

Services Privacy Notice. When you sign up for or use Services which we provide to you or, if you are an organizational user, to our customer with whom you have a relationship (e.g., employer/employee).

Cookie Notice. When data is collected automatically from your device by way of cookies and other tracking technologies.

 

Who We Are

Smartsheet Inc. is headquartered in the United States, with offices in Washington and Massachusetts. You can learn about us and our Services here.

Smartsheet Inc. may share personal data with our affiliated companies for our or our affiliate’s internal business purposes (e.g., when you purchase an affiliate’s services from Smartsheet). The following privacy notices are tailored for the different ways your personal data may be collected, used, shared and processed by different Smartsheet lines of business:

 

Your Choices

Marketing Communications. You can opt out of being contacted by us for marketing or promotional purposes by following the instructions in marketing emails we send or by unsubscribing.

Custom Audiences. If you’d prefer we do not include you in custom audiences, submit this form.

Cookies. Please visit our Cookie Notice to learn about and exercise your choices relating to cookies.

 

Your Rights

You may have certain rights relating to your personal data under local data protection laws or based on your use of our Services. For example

European Economic Area
  • Access. You can ask us to confirm we’re processing your personal data, provide you with details about such processing, and give you a copy of your personal data.
  • Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
  • Objection. You can object to any processing of your personal data which is done on the basis of our 'legitimate interests', if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. In addition, you can object to the processing of your personal data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. We will then cease the processing of your personal data for direct marketing purposes.
  • Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
  • Rectification. You can ask us to correct information; we may verify the accuracy of the data before rectifying it.
  • Restriction. You can ask us to restrict (i.e., keep but not use) your personal data, but only where: its accuracy is contested (see 'Rectification' above), to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise, or defend legal claims; you have exercised the right to object, and verification of any overriding grounds is pending. We can continue to use your personal data following a request for restriction where we have your consent; to establish, exercise, or defend legal claims; or to protect the rights of another.
  • Withdrawal of Consent. You can withdraw your consent where processing is based on a consent you have previously provided. If you have questions about how to withdraw a consent you had provided, please complete this form.
  • Exercise of Rights. To exercise your rights please contact us using this form or using the contact details provided under the "How to Contact Us" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Services to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Services; or suggest you may receive such different treatment.
California
  • Access. You can ask us to confirm we’re processing your personal data, provide you with details about such processing, and give you a copy of your personal data.
  • Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims. 
  • Portability. You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format, or you can ask to have it 'ported' directly to another data controller, but only where our processing is based on your consent and the processing is carried out by automated means.
  • Exercise of Rights. To exercise your rights please contact us using this form or using the contact details provided under the "How to Contact Us" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Services to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Services; or suggest you may receive such different treatment.
Mobile Users
  • Access. You can ask us to confirm we’re processing your personal data, provide you with details about such processing, and give you a copy of your personal data.
  • Erasure. You can ask us to erase your personal data if certain conditions are met. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
  • Withdrawal of Consent. You can withdraw your consent where processing is based on a consent you have previously provided. If you have questions about how to withdraw a consent you had provided, please complete this form.
  • Exercise of Rights. To exercise your rights please contact us using this form or using the contact details provided under the "How to Contact Us" heading. We do not discriminate based on whether you choose to exercise your choices and rights and will not, based on your exercise of rights, deny the Services to you; charge you different rates (including through penalties or discounts/benefits); provide a different level or quality of Services; or suggest you may receive such different treatment.

 

Data Retention

We keep your personal data for as long as reasonably necessary for the purposes set out in our notices (see ‘How We Use Personal Data’ in the applicable notice). We’ll keep your personal data longer if required for tax or accounting purposes, to ensure we would be able to defend or raise a claim, or where we have a specific need - though we will generally not keep personal data for longer than seven years following the last date of communication with you. Where personal data is no longer required, we anonymize or dispose of it in a secure manner.

 

How We Protect Your Information

We have implemented technical, physical, and administrative safeguards to protect your personal data. However, no company, including Smartsheet, can guarantee the absolute security of Internet communications.

 

Children’s Personal Data

Our Sites are not directed toward children under 18 and we don’t knowingly collect personal data from minors. If you are under 18, please do not use the Sites or Services or share personal data with us. If you learn that anyone younger than 18 has unlawfully provided us personal data, please contact us.

 

International Transfers and Privacy Shield Notice

Personal data we collect may be transferred to, used, and stored in the United States or other jurisdictions in which Smartsheet, our affiliates, or service providers are located; these locations (including the United States) may not guarantee the same level of protection of personal data as the one in which you live. Smartsheet assesses the circumstances involving all cross-border data transfers and has suitable safeguards in place to require that your personal data will remain protected in accordance with this notice.  

Smartsheet participates in the EU-U.S. and U.S.-Swiss Privacy Shield Frameworks and Principles (collectively, the “Privacy Shield Principles”). We will comply with the Privacy Shield Principles with respect to personal data transferred to the United States from the European Economic Area (‘EEA’), the United Kingdom, and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. Smartsheet’s commitments under the Privacy Shield Principles are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Smartsheet is and will remain liable for the processing of personal data it receives under each Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf (see ‘How We Share Personal Data’ in the applicable notice). We comply with the Privacy Shield Principles for all onward transfers of personal information from the EEA, including the onward transfer liability provisions. If there is a conflict between the terms of this notice and the Privacy Shield Principles, the Privacy Shield Principles will govern.

In addition, Smartsheet has implemented the European Commission’s Standard Contractual Clauses for transfers of personal data between our affiliated companies, which require all of our affiliates to protect personal data they process from the EEA in accordance with European Union data protection law. We have implemented similar appropriate safeguards where legally required with our third party service providers and partners; details can be provided upon request.

 

Changes to this Notice

We may update this notice to reflect changes to our privacy practices, changing technologies, industry practices, regulatory requirements, or for other reasons. If we make any material changes that affect the way we treat your data, we will notify you by email, through the Sites, or by other legally acceptable means. We encourage you to periodically review this notice for the latest information on our privacy practices.

 

How to Contact Us

You have the right to complain to a data protection authority about our collection and use of your personal data, but we encourage you to reach out to us first. The best way to reach us is by filling out this form. Smartsheet’s Privacy Counsel serves as Smartsheet’s data protection contact and can be reached at:

Webform: Contact Privacy Form

Email: [email protected]

Address: Attn: Legal - Privacy Office, 10500 NE 8th Street, Suite 1300, Bellevue WA 98004

 

Residents of the EEA. The controller of your personal data is Smartsheet Inc. Where processing is undertaken by our affiliated companies, they are joint controllers with Smartsheet Inc. for your personal data. You may contact our EU Representative, Smartsheet UK Ltd, at:

Webform: Contact Privacy Form

Email: [email protected]

Address: Attn: Smartsheet Legal, Clarendon House, 116 George St, Edinburgh EH2 4LH

 

Complaints or Questions About Our Privacy Shield Certifications. If you have any questions or complaints regarding our Privacy Shield Certification, please complete this form or email [email protected] We will respond within 45 days of receiving your complaint and will promptly investigate and attempt to resolve it. If you reside in the EEA and your complaint cannot be resolved through this process, we will participate in the dispute resolution process administered by JAMS. For information about how to initiate a Privacy Shield claim with JAMS, please contact JAMS directly. Under certain conditions (described on the Privacy Shield website), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

English Version Controls

Unless prohibited by local laws, non-English translations of this notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version is authoritative and controls.