Smartsheet modified a single sentence in its Privacy Policy on June 5, 2026 describing which entities participate in the EU-U.S. Data Privacy Framework. The updated language specifies that 'Smartsheet and its U.S. affiliates' participate in the framework, whereas the previous version stated 'Smartsheet and its affiliates' without the geographic qualifier. This change narrows the scope of framework participation to U.S.-based affiliates only, which may affect how personal data transfers are handled for non-U.S. affiliated entities.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
The updated policy narrows the stated scope of Data Privacy Framework participation, which may affect the legal mechanisms available for transferring personal data from regulated regions to Smartsheet. Organizations processing EU, UK, or Swiss data through Smartsheet should verify whether this change introduces gaps in documented lawful transfer mechanisms, particularly if non-U.S. affiliates are involved in data handling.
→ Data transfers involving non-U.S. Smartsheet affiliates may proceed without explicit documentation of lawful transfer mechanisms as previously represented in the privacy policy
Participation narrowed to U.S. affiliates only; prior language did not specify geographic scope
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Smartsheet's June 5, 2026 privacy policy update narrows Data Privacy Framework participation to U.S. affiliates only. This change introduces potential ambiguity about legal mechanisms governing data transfers by non-U.S. Smartsheet entities, which may implicate GDPR Chapter V transfer requirements, UK GDPR Schedule 1 restrictions, and Swiss Federal Data Protection Act obligations. Organizations using Smartsheet should assess whether this narrowed scope affects their own data processing arrangements and whether supplemental transfer mechanisms (Standard Contractual Clauses, Binding Corporate Rules) are now necessary.
GDPR (Chapter V, Articles 44-50 on international data transfers); UK GDPR (Part 2, Schedule 1); Swiss Federal Data Protection Act (Articles 6-7 on international transfers)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002714.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorSmartsheet updated its privacy policy to replace the term 'Offerings' with 'Services' throughout the document, and added a single sentence …
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and lia…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.