Smartsheet states it may use data from the service to train and improve AI features, but says it will obtain consent or rely on another legal basis where required by law before doing so.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
AI training on customer-submitted data is a growing area of regulatory scrutiny, and the scope of what data may be used and under what legal basis is not fully specified in the notice, creating ambiguity for enterprise customers evaluating data governance risk.
Interpretive note: The provision does not specify which categories of service data are in scope for AI training, what the default setting is, or how customers can restrict this use, creating interpretive uncertainty about scope and applicable legal basis.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →Removal of explicit AI training disclosure eliminates transparent notice about a significant data use practice, potentially leaving users unaware that their data may be used for AI model development.
View full change record →Data that users or their organizations submit into Smartsheet may potentially be used to improve Smartsheet's AI products, subject to consent or another legal basis, though the specific data categories and opt-out mechanisms are not fully detailed in this notice.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may use data from the Service to develop, train, and improve our AI features and products. We will obtain your consent or rely on another legal basis as required by applicable law before using your personal data for AI training purposes.— Excerpt from Smartsheet's Smartsheet Privacy Policy
(1) REGULATORY LANDSCAPE: This provision may require evaluation under the EU AI Act, which imposes requirements on AI system developers depending on risk classification, as well as GDPR's requirements for lawful basis when processing personal data for AI training purposes. The FTC has also issued guidance on AI and data practices. Relevant enforcement authorities include EU data protection authorities, the UK ICO, and the FTC. (2) GOVERNANCE EXPOSURE: Medium to High. The notice asserts that consent or another legal basis will be obtained before using personal data for AI training, but does not specify which categories of service data are in scope, what the default position is, or how enterprise customers can restrict this use contractually. This ambiguity may require enterprise customers to seek clarification in their DPAs or service agreements. (3) JURISDICTION FLAGS: EU and UK organizations face the most significant exposure given GDPR requirements for explicit lawful basis for AI training and evolving EU AI Act obligations. California organizations should evaluate whether this use constitutes a secondary use of data requiring opt-out mechanisms under CPRA. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should review Smartsheet's DPA and service agreement for specific provisions addressing AI training data use, opt-out mechanisms, and data segregation. The notice's statement that consent or another legal basis will be used is not itself a contractual restriction and may not be sufficient for enterprise compliance purposes without a more specific contractual commitment. (5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether their organizations' data submitted into Smartsheet includes personal data and, if so, whether the AI training use is covered by existing consent mechanisms or data processing agreements. Organizations should request clarity from Smartsheet on what specific data is used, how it is anonymized if at all, and what customer controls are available.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
AI training on customer-submitted data is a growing area of regulatory scrutiny, and the scope of what data may be used and under what legal basis is not fully specified in the notice, creating ambiguity for enterprise customers evaluating data governance risk.
Data that users or their organizations submit into Smartsheet may potentially be used to improve Smartsheet's AI products, subject to consent or another legal basis, though the specific data categories and opt-out mechanisms are not fully detailed in this notice.
ConductAtlas has identified this type of provision across 1 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.