The notice states that the complete Privacy Notice consists of the main page and additional product-specific or region-specific sub-notices, meaning the full scope of data practices applicable to a given user or product context requires review of multiple linked documents.
This analysis describes what Smartsheet's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that the main notice is not a self-contained disclosure; the operational scope of data collection, use, and sharing obligations for specific products or user groups is distributed across multiple linked documents that must be reviewed collectively to assess compliance.
The updated privacy policy states that only Smartsheet's U.S.-based affiliates participate in the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Previously, the policy referenced participation by Smartsheet and its affiliates without geographic qualification. This narrowed scope may affect the data transfer mechanisms available for processing personal data from EU, UK, and Swiss users if non-U.S. affiliates are involved in data handling. The policy does not explicitly describe alternative transfer mechanisms for non-U.S. affiliates.
View change record →This new provision explicitly acknowledges a layered privacy notice structure with product-specific sub-notices, potentially deferring detailed privacy disclosures to separate documents rather than consolidating them in the main policy.
View full change record →Under this structure, users seeking a complete understanding of how their personal data is collected and used by Smartsheet must access and review multiple linked sub-notices in addition to the main privacy notice page.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Smartsheet has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"The Smartsheet Privacy Notice ("Privacy Notice") consists of this page and the specific notices which describe how we collect, use, and share personal data and explain your related rights and choices.— Excerpt from Smartsheet's Smartsheet Privacy Policy
1. REGULATORY LANDSCAPE: GDPR Articles 13 and 14 require that privacy information be provided in a concise, transparent, and easily accessible form. Layered notice structures are recognized under GDPR guidance as acceptable where each layer is accessible and consistent. However, inconsistencies between the main notice and sub-notices could create regulatory exposure. The FTC and applicable state authorities also require that privacy disclosures be clear and not misleading. 2. GOVERNANCE EXPOSURE: Medium. The layered structure creates a compliance review obligation: legal and privacy teams must ensure all sub-notices are current, consistent with the main notice, and accessible to the relevant user populations. Gaps or inconsistencies between documents may create disclosure failures under applicable law. 3. JURISDICTION FLAGS: EU and UK users are entitled to complete and transparent privacy information at point of data collection; layered notices must collectively satisfy GDPR transparency requirements. California users are entitled to a complete description of CCPA categories and practices, which may require that sub-notices be incorporated by reference in a manner accessible to consumers. 4. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should review all sub-notices applicable to products they deploy to confirm that data practices disclosed align with their own privacy obligations to their end users. B2B procurement teams should request documentation of all active sub-notices as part of vendor due diligence. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a registry of all active sub-notices, conduct periodic consistency audits between the main notice and sub-notices, and establish a change management process ensuring sub-notices are updated when data practices change. Any sub-notice governing a specific product or region should be reviewed against the applicable legal requirements for that product or jurisdiction.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that the main notice is not a self-contained disclosure; the operational scope of data collection, use, and sharing obligations for specific products or user groups is distributed across multiple linked documents that must be reviewed collectively to assess compliance.
Under this structure, users seeking a complete understanding of how their personal data is collected and used by Smartsheet must access and review multiple linked sub-notices in addition to the main privacy notice page.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Smartsheet.