Smartsheet keeps your personal data for as long as it considers necessary for business, legal, or dispute purposes, without specifying a fixed maximum retention period in this notice.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention criteria mean personal data may be kept for extended periods, and users cannot easily predict when their data will be deleted without submitting a specific deletion request.
Interpretive note: The notice describes retention criteria rather than specific periods, making it difficult to assess in practice how long specific categories of personal data are retained without additional documentation from Smartsheet.
Smartsheet does not commit to a specific maximum retention period for most personal data, retaining it based on business necessity, legal obligations, and dispute resolution needs, which means data may persist longer than users expect unless they actively submit a deletion request.
How other platforms handle this
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
We retain your personal data for as long as necessary to provide you with our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. The criteria used to determine our retention periods include the nature and sensitivity of the data, the purposes for which we proc...
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of time we have an ongoing relationship with you; whether there is a legal obligation to which we are subject; and whether retention is advisable in light of our legal position.— Excerpt from Smartsheet's Smartsheet Privacy Policy
(1) REGULATORY LANDSCAPE: GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data be kept no longer than necessary for the specified purpose. The absence of defined retention periods in the notice may create tension with this requirement, depending on how Smartsheet implements retention in practice. The UK ICO and EU data protection authorities have issued guidance on retention policies. CCPA does not impose specific retention period requirements but requires accurate disclosure of data practices. (2) GOVERNANCE EXPOSURE: Medium. Undefined retention periods are a common area of GDPR enforcement scrutiny. Enterprise customers should assess whether Smartsheet's retention practices for service data are addressed in their DPA, particularly for categories of sensitive or regulated data. (3) JURISDICTION FLAGS: EU and UK organizations face the most significant exposure due to GDPR's storage limitation principle. Sector-specific regulations such as HIPAA or FERPA may impose specific retention or deletion requirements that Smartsheet's general retention policy may not address without supplemental agreement terms. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should request Smartsheet's data retention schedule as part of vendor due diligence and confirm that service data retention periods align with their own legal and regulatory obligations. The DPA should specify retention and deletion obligations for processor-held data. (5) COMPLIANCE CONSIDERATIONS: Legal teams should assess whether Smartsheet's retention practices for specific data categories, particularly sensitive or regulated data, are consistent with applicable law. Users and organizations should submit deletion requests proactively if they wish to remove personal data from Smartsheet's systems rather than relying on automatic deletion.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention criteria mean personal data may be kept for extended periods, and users cannot easily predict when their data will be deleted without submitting a specific deletion request.
Smartsheet does not commit to a specific maximum retention period for most personal data, retaining it based on business necessity, legal obligations, and dispute resolution needs, which means data may persist longer than users expect unless they actively submit a deletion request.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.