What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: This notice engages GDPR for EEA and UK residents, CCPA and CPRA for California residents, and references international transfer mechanisms including Standard Contractual Clauses and adequacy decisions. The FTC Act is implicitly relevant given Smartsheet's US-based data practices and consumer-facing services. The EU AI Act may require evaluation given the notice's disclosure that service data may be used to improve AI features, depending on the classification of those …

How does Smartsheet's Smartsheet Privacy Policy affect users?

Smartsheet collects a broad range of personal data including contact details, usage behavior, device identifiers, and location data, and shares it with advertising and analytics partners, which may affect users who prefer limited third-party data exposure. For business users, data submitted into the Smartsheet platform is treated as processor data governed by a separate customer agreement, meaning individual employees may not be able to exercise privacy rights directly with Smartsheet and must …

How often is Smartsheet's Smartsheet Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Smartsheet updates this document?

Yes. Watcher subscribers ($9.99/month) can add Smartsheet to their watchlist and receive same-day email alerts whenever this document or any other Smartsheet document changes.

CA-D-000712

Smartsheet Privacy Policy

Smartsheet

Last change detected May 5, 2026 Privacy policy

SHA-256: 3cb752c502db079d64f… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Smartsheet ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

0 High severity

8 Medium severity

2 Low severity

Summary

This is Smartsheet's privacy policy, explaining how the project management platform collects and uses personal data about people who visit its website, sign up for a free trial, or use its services. The most important thing to know is that Smartsheet shares your personal data including name, email, usage behavior, and device information with advertising and analytics partners, and may use certain service data to improve AI features. California residents and EU/UK users have specific rights to access, delete, or opt out of certain data uses, which they can exercise by submitting a request through Smartsheet's privacy request form.

Technical / Legal Breakdown

This document is the Smartsheet Privacy Notice, governing how Smartsheet Inc. collects, uses, and shares personal data across its website (smartsheet.com) and related services, with stated legal bases including contract performance, legitimate interests, consent, and legal obligation depending on jurisdiction. The notice states that Smartsheet collects personal data including identifiers, usage data, device information, location data, and customer-submitted content, and authorizes use of that data for product delivery, marketing, analytics, fraud prevention, and AI-related product improvement; it also discloses sharing with third-party service providers, advertising partners, analytics vendors, and business transferees. Notably, the notice distinguishes between Smartsheet's role as a data controller (for website and marketing data) and a data processor (for customer-submitted service data governed by separate customer agreements), a distinction that materially affects what rights individual users can exercise directly against Smartsheet. The notice expressly addresses GDPR obligations for EEA and UK residents, CCPA/CPRA rights for California residents, and references adequacy decisions and Standard Contractual Clauses as international transfer mechanisms; applicability of specific rights depends on jurisdiction and user classification. Compliance teams should note that AI feature data use, third-party advertising integrations, and the controller-processor distinction each create distinct regulatory evaluation points under GDPR, CCPA/CPRA, and potentially the EU AI Act.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

Medium — 8 provisions

Controller vs. Processor Distinction for Service Data Compare →

If you use Smartsheet because your employer or another organization set it up, that organization controls your data inside the platform, not Smartsheet. Your privacy rights for that data must be directed to your employer, not Smartsheet.

Added May 10, 2026 Standard Seen across 189 platforms
AI Feature Data Use Compare →

Smartsheet states it may use data from the service to train and improve AI features, but says it will obtain consent or rely on another legal basis where required by law before doing so.

Added May 10, 2026 Common Seen across 104 platforms
Third-Party Advertising and Analytics Data Sharing Compare →

Smartsheet shares your browsing and usage data with advertising and analytics companies, who may track your activity across the Smartsheet site and other websites using cookies and similar technologies.

Added May 10, 2026 Standard Seen across 246 platforms
International Data Transfers Compare →

Your data may be transferred to and stored in the United States or other countries with different privacy laws. For EU and UK users, Smartsheet states it uses approved legal mechanisms like Standard Contractual Clauses to make that transfer lawful.

Added May 10, 2026 Standard Seen across 246 platforms
California Resident Privacy Rights (CCPA/CPRA) Compare →

California residents have specific legal rights including the ability to see what data Smartsheet has about them, request deletion, correct inaccuracies, and opt out of having their data sold or shared with advertising partners.

Added May 10, 2026 Standard Seen across 262 platforms
GDPR Rights for EEA and UK Users Compare →

If you are in the EU or UK, you have the right to see, correct, delete, and move your personal data, and to object to certain uses of it. You can also complain to your national data protection authority if you believe your rights have been violated.

Added May 10, 2026 Standard Seen across 262 platforms
Data Retention Compare →

Smartsheet keeps your personal data for as long as it considers necessary for business, legal, or dispute purposes, without specifying a fixed maximum retention period in this notice.

Added May 7, 2026 Standard Seen across 223 platforms
Cookies and Tracking Technologies Compare →

Smartsheet uses cookies and tracking tools on its website to collect usage data, remember settings, and show you targeted ads. You can manage most cookie settings through their cookie preference center, though turning some off may affect how the site works.

Added May 10, 2026 Standard Seen across 251 platforms

Low — 2 provisions

Business Transfer and Merger Data Sharing Compare →

If Smartsheet is sold, merged, or undergoes a major business transaction, your personal data may be transferred to the acquiring company as part of that deal.

Added May 10, 2026 Standard Seen across 246 platforms
Children's Data Compare →

Smartsheet states it does not intentionally collect data from users under 16, and will delete any such data if discovered.

Added May 10, 2026 Standard Seen across 262 platforms