What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: The notice engages GDPR and UK GDPR (applicable to EU and UK residents), CCPA and CPRA (applicable to California residents), and references additional regional frameworks. The primary enforcement authorities include EU data protection authorities, the UK Information Commissioner's Office, and the California Privacy Protection Agency. The notice's assertion that Smartsheet acts as a data processor for enterprise customer-uploaded content may require evaluation under GDPR…

How does Smartsheet's Smartsheet Privacy Policy affect users?

The agreement establishes that Smartsheet collects identifiers, contact details, device and usage data, location-inferred data, and payment information from website visitors and registered users, and authorizes sharing of that data with service providers, advertising and analytics partners, and corporate affiliates. Under these terms, users in the EU, UK, and California are granted specific data subject rights including access, deletion, correction, and portability, while users in other jurisdi…

How often is Smartsheet's Smartsheet Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Smartsheet updates this document?

Yes. Monitor subscribers ($19/month) can add Smartsheet to their watchlist and receive same-day email alerts whenever this document or any other Smartsheet document changes.

CA-D-000712

Smartsheet Privacy Policy

Smartsheet

Last change detected June 9, 2026 Privacy policy

SHA-256: 1005b45002f15a94694… 4 versions captured 3 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Smartsheet ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

6 Total

1 High severity

4 Medium severity

1 Low severity

Summary

This is Smartsheet's Privacy Notice, covering how the company collects and uses personal data from visitors to www.smartsheet.com and users of its work management platform. The notice authorizes collection of identifiers, device information, usage activity, location-inferred data, and payment information, and permits sharing with advertising, analytics, and third-party service providers. For enterprise customers, the notice acknowledges Smartsheet may act as a data processor handling content uploaded by business users, with the terms of that processing governed separately by customer agreements.

Technical / Legal Breakdown

The Smartsheet Privacy Notice governs how Smartsheet Inc. collects, uses, shares, and retains personal data across its website (www.smartsheet.com) and associated services, with stated legal bases including consent, contractual necessity, legitimate interests, and legal obligations depending on jurisdiction. The notice states that Smartsheet collects identifiers, contact details, account credentials, device and usage data, location-inferred data, payment information, and content data submitted through the platform, and authorizes sharing with service providers, advertising and analytics partners, corporate affiliates, and business transaction parties. The notice discloses a layered structure composed of a main page and additional product-specific or region-specific sub-notices, which means the full scope of data practices may require review across multiple linked documents rather than a single instrument. The notice engages GDPR and UK GDPR for EU and UK residents, CCPA and CPRA for California residents, and references additional regional frameworks, with Smartsheet acting as a data controller for site and marketing data and as a data processor for customer-uploaded content processed on behalf of enterprise clients. Compliance teams should note that the processor-controller distinction has material implications for data subject rights fulfilment, contractual obligations with enterprise customers, and the scope of Smartsheet's direct regulatory obligations under applicable data protection law.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

3 important changes detected

4 versions captured · Last updated: June 2026

June 9, 2026

low

What changed Smartsheet updated its privacy policy on June 9, 2026 to clarify corporate structure and Data Privacy Framework participation. The policy previously stated that 'Smartsheet and its U.S. affiliates' participate in the EU-U.S., UK, and Swiss Data Privacy Frameworks. The updated language now specifies 'Smartsheet Inc.' and adds an explicit list of four U.S. affiliates that adhere to the DPF Principles: Artefact Product Group LLC (dba 10,000ft), Brandfolder Inc., On Brand Holdings Inc. (dba Outfit), and TernPro Inc. (dba Slope). This change provides clearer identification of which legal entities within the Smartsheet corporate group are responsible for complying with data transfer frameworks.

Why this matters The updated policy clarifies the corporate structure and identifies specific U.S. entities within the Smartsheet group that are responsible for complying with international data transfer frameworks. Previously, the policy referred to 'Smartsheet and its U.S. affiliates' in general terms; the updated language now explicitly names Artefact Product Group LLC (10,000ft), Brandfolder Inc., On Brand Holdings Inc. (Outfit), and TernPro Inc. (Slope) as entities bound by the Data Privacy Framework Principles. This provides greater specificity about which entities handle personal data subject to cross-border transfer protections.

View full change record →

June 5, 2026

medium

What changed Smartsheet modified a single sentence in its Privacy Policy on June 5, 2026 describing which entities participate in the EU-U.S. Data Privacy Framework. The updated language specifies that 'Smartsheet and its U.S. affiliates' participate in the framework, whereas the previous version stated 'Smartsheet and its affiliates' without the geographic qualifier. This change narrows the scope of framework participation to U.S.-based affiliates only, which may affect how personal data transfers are handled for non-U.S. affiliated entities.

Why this matters The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.

View full change record →

May 21, 2026 low

Smartsheet updated its privacy policy to replace the term 'Offerings' with 'Services' throughout the document, and added a single sentence directing readers to a Glossary for definitions of capitalized terms. …

View change record →

Recent Provision Changes Jun 9, 2026

6 provisions unchanged.

View full change record →

High — 1 provision

Controller-Processor Distinction for Enterprise Data Compare →

The notice states that Smartsheet acts as a data controller for personal data collected through its website and marketing activities, and as a data processor for content and data submitted by enterprise customers through the platform, with the terms of processor activities governed by separate customer agreements.

Added May 21, 2026 Standard Seen across 284 platforms

Medium — 4 provisions

Personal Data Collection Categories Compare →

The notice states that Smartsheet collects identifiers, contact details, account credentials, device and usage data, location-inferred data, payment information, and content data submitted through the platform from website visitors and registered users.

Added May 21, 2026 Standard Seen across 284 platforms
Third-Party Data Sharing with Advertising and Analytics Partners Compare →

The notice authorizes sharing of personal data with advertising, analytics, and third-party service providers, as well as corporate affiliates and parties involved in business transactions, for purposes described in the notice and its linked sub-notices.

Added May 21, 2026 Standard Seen across 284 platforms
Data Subject Rights for EU, UK, and California Users Compare →

The notice states that EU, UK, and California users are provided with specific data subject rights including access, deletion, correction, and portability, with request mechanisms described in the notice and linked sub-notices.

Added May 21, 2026 Standard Seen across 284 platforms
Cookie and Tracking Technology Consent Management Compare →

The notice references a consent management platform (Ketch, as identified in the page source) for managing cookie and tracking technology preferences, authorizing collection of device identifiers, browsing activity, and related data subject to user consent or opt-out choices.

Added May 21, 2026 Standard Seen across 284 platforms

Low — 1 provision

Layered Notice Structure with Product-Specific Sub-Notices Compare →

The notice states that the complete Privacy Notice consists of the main page and additional product-specific or region-specific sub-notices, meaning the full scope of data practices applicable to a given user or product context requires review of multiple linked documents.

Added May 21, 2026 Standard Seen across 284 platforms

Monitoring

Smartsheet has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Controller-Processor Distinction for Enterprise Data and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured June 9, 2026 01:26 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000712

Version ID CA-V-003570

Source URL https://www.smartsheet.com/legal/privacy

Wayback Machine View external archival references →

SHA-256 1005b45002f15a946947ae6982fdfe847ec225b5bc09bd230cef4b2f20f3b62e

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Smartsheet Privacy Policy

June 9, 2026

June 5, 2026

Recent Provision Changes Jun 9, 2026

Monitor governance changes across the platforms you rely on.