Maplebear (CART) Risk Analysis

The markets in which we compete are evolving rapidly and are highly competitive with increasing competitive pressure. Our business is complex and encompasses a range of technologies, offering types, and fulfillment methods that serve the diverse needs of our constituents. With respect to Instacart Marketplace, our current and potential competitors include, but are not limited to: (i) existing and well-established online grocery or shopping alternatives, including digital-first platforms, such as Amazon and Thrive Market, (ii) brick-and-mortar retailers that have their own digital and fulfillment offerings, such as Target and Walmart, some of which decide to partner with Instacart to complement their own offerings, (iii) companies that provide e-commerce and fulfillment services for third parties, including retailers, whether online or offline, such as DoorDash, Shipt (acquired by Target), and Uber Eats, (iv) digital-first platforms entering the grocery market by owning inventory, including DashMart (owned by DoorDash), Fresh Direct (owned by Getir), and Gopuff, which may include existing retailers on Instacart, which could eventually eliminate their need to partner with us or limit their use of Instacart Marketplace, (v) companies that provide e-commerce and fulfillment services that focus on discrete categories of products, such as alcohol or prescription delivery, including Alto Pharmacy, and (vi) companies that offer direct to consumer ingredient or meal offerings, such as Blue Apron (owned by Wonder Group) or Misfits Market, some of which may partner with Instacart to complement their own offerings. Most consumers currently choose to shop for themselves at brick-and-mortar grocery stores, regardless of whether we partner with the retailers that operate these stores. Also, the cost to switch between providers of online grocery shopping is low for consumers, and consumers within various demographics have a propensity to shift to the lowest-cost or highest-quality provider and may use more than one platform. With respect to Instacart Enterprise Platform, our current and potential competitors include, but are not limited to: (i) companies that are focused on the online grocery enterprise services industry, as well as larger enterprise software companies that have products and services that provide retailers with some of the benefits we offer through Instacart Enterprise Platform, (ii) micro-fulfillment or automated warehouse providers that support grocery retailers' owned and operated offerings, such as Ocado, and (iii) existing and potential retailers on Instacart who develop or may in the future develop their own enterprise e-commerce system. In addition, our competitors include companies that provide point solutions for individual components of Instacart's e-commerce offering such as picking technology and retail media network solutions. Our competitors may also make acquisitions or establish cooperative or other strategic relationships among themselves or with others, including retailers. While there may be costs to switch between enterprise products, retailers may shift to the platform that offers the lowest service fee for their products and provides the highest volume of orders, or build their own. Our Instacart Enterprise Platform also includes in-store technology offerings, including Caper Carts, Lists, Carrot Tags, and other in-store applications, which face competition from other retailer technology solution providers, such as Veeve and Amazon. With respect to Instacart Ads, our current and potential competitors include, but are not limited to: (i) third-party platforms that assist retailers with monetization of their digital offerings for consumers, such as CitrusAd (acquired by Publicis Groupe), Criteo, and Quotient, (ii) first-party retailer-owned solutions that provide online advertising opportunities to brands on their owned and operated domains, such as Amazon, Kroger, Target, Walmart, and others, some of which are also retailers on Instacart, (iii) companies that provide e-commerce and fulfillment services for third parties, including retailers, which currently offer or may in the future offer advertising products, such as DoorDash and Uber Eats, and (iv) companies that offer established online advertising products that are not specifically limited to the grocery industry, such as those offered by Amazon, Google, Meta, and Snap. With respect to restaurants offered on Instacart's Marketplace via our partnership with Uber, there are a number of competitors to such offering available through Instacart including, but not limited to: (i) local on-demand delivery companies such as DoorDash, Uber Eats via Uber's native applications, and Grubhub (acquired by Wonder), (ii) restaurants that have their own online ordering platform or online ordering systems, and (iii) other businesses that offer online ordering of prepared meals. Many consumers also rely on offline ordering channels, such as take-out offerings, telephone, and paper menus advertised by restaurants to consumers. The cost to switch between providers of online restaurant delivery is low for consumers, and consumers within various demographics have a propensity to shift to the lowest-cost or highest-quality provider and may use more than one delivery platform. In addition, competitors may offer different restaurant selection or restaurant delivery focused memberships that discourage consumers from switching to our offering. We also compete for shoppers with many of the same companies with which we compete for customers, as well as companies in industries unrelated to ours that offer personal task-based services. The majority of shoppers do not shop on Instacart as their primary occupation or source of income. As such, a shopper, or someone considering to be a shopper, weighs that opportunity against others, such as traditional employment, personal task-based services, school, personal time, or other options in the labor market. Because switching costs are low, shoppers may shift to another platform that has higher, or is perceived to have higher, earnings potential. Further, while we work to expand further in the United States and Canada and scale international markets, and introduce new offerings across a range of industries, many of our competitors remain focused on a limited number of products or on a narrow geographic scope, allowing them to develop specialized expertise and employ resources in a more targeted manner than we do. As we and our competitors introduce new offerings, and as existing offerings evolve, we expect to become subject to additional competition. If we are unable to offer comparable or superior offerings, our business may be adversely affected. In addition, our competitors may adopt certain of our features, or may adopt innovations that consumers value more highly than ours, which would render our offerings less attractive or reduce our ability to differentiate our offerings. Many of our competitors are well-capitalized and are able to offer discounted or free services, shopper incentives, consumer discounts and promotions, innovative products and offerings, and alternative pricing models, which may be more attractive to retailers, consumers, brands, or shoppers than those that we offer. In addition, we may not be able to effectively compete with service offerings from vertically integrated competitors, such as Amazon or Gopuff, which control both the brick-and-mortar retailer and online fulfillment technology. Certain brick-and-mortar retailers that have their own digital offering, such as Walmart, also have significant size, scale, geographic, and customer base advantages, which may allow them to grow online sales or capture increasing share of the online grocery market or advertising budgets more effectively and at a faster rate than us. Competitors may also offer fulfillment options from our retail partners, despite having no formal engagement with such retailers. Further, some of our current or potential competitors have, and may in the future continue to have, greater resources and access to larger consumer and shopper bases in a particular geographic area. In addition, our competitors in certain geographies enjoy substantial competitive advantages, such as greater brand recognition, longer operating histories, larger marketing budgets, better localized knowledge, and/or fewer regulatory challenges. Smaller competitors may be more nimble at anticipating and meeting changing market dynamics and new entrants to online grocery are able to initially grow grocery sales at a faster rate due to their smaller scale, which has attracted advertising budget to certain of these competitors. As a result, such competitors may be able to respond more quickly and effectively than us in such markets to new or changing opportunities, technologies, consumer preferences, regulations, or standards, which may render our offerings less attractive. In addition, future competitors may share in the effective benefit of any regulatory or governmental approvals and litigation victories we may achieve, without having to incur the costs we have incurred to obtain such benefits. For all of these reasons, we may not be able to compete successfully against our current and future competitors. Our inability to compete effectively would have an adverse effect on our ability to acquire new retailers, customers, and brand partners or increase the engagement of our existing retailers, customers, and brand partners, or would otherwise harm our business, financial condition, and results of operations. Third parties may also gather, collect, or infer sensitive information about us from public sources, data brokers, or other means that reveal competitively sensitive details about our organization and could be used to undermine our competitive advantage or market position.

The market acceptance of our offerings is critical to our continued success. Historically, consumers and retailers have been slower to adopt online grocery shopping than e-commerce offerings in other industries such as consumer electronics and apparel. Grocery is a complex market, and improving upon the traditional consumer in-store experience through an online platform or with connected shopping experiences is difficult due to broad consumer demands on selection, quality, affordability, and convenience. Grocery shopping habits and related consumer preferences are complex and diverse across and within markets and across demographics and age groups. Changing traditional grocery shopping habits is difficult, and if consumers and retailers do not embrace the transition to online grocery shopping and connected shopping experiences as we expect, our business and operations could be harmed. The amount of influence we may have over these shopping habits and preferences, and the methods at our disposal to exercise such influence (including marketing and incentives), may be limited, and we are dependent on external influences over shopping habits, such as public health incidents and inclement weather, and macroeconomic factors. In particular, shopping habits and preferences vary between younger and older consumers, consumers across different income groups, and among other demographic characteristics, and to be successful, we need to effectively increase market acceptance across all age, income, and other demographically different groups by increasing brand awareness and focusing marketing efforts on relevant habits and preferences. Moreover, even if more consumers begin to shop for groceries online, if we are unable to address their changing needs, or the evolving needs of retailers or brands, and anticipate or respond to market trends and new technologies in a timely and cost-efficient manner, we could experience decreased adoption, increased customer churn and lose the support of retailers and brands, any of which would adversely affect our business and results of operations. Demand for our offerings is also affected by a number of factors beyond our control, including macroeconomic conditions, initiatives by retailers to influence shopping behavior, continued market acceptance of our offerings, the timing of development and release of new offerings and features by us, the timing or manner of the adoption of our offerings by retailers and our competitors, changing consumer dietary preferences, technological change, brand recognition, and growth or contraction in our markets. If we fail to achieve increased market acceptance of our offerings, our business could be seriously harmed.

Shoppers perform certain tasks for customers, including picking and delivering goods, on Instacart. We enter into agreements with shoppers for them to provide fulfillment and other services to customers through Instacart and our technology. Our agreements with shoppers generally remain in effect until terminated by the shopper or by us. Shoppers may generally terminate their agreements with us at any time by providing us written notice and such agreements do not provide for any exclusivity. If there are not enough shoppers on Instacart, customer orders may be late, may go unfulfilled, or may be incorrectly fulfilled, which would have a negative effect on those impacted customers and retailers and consequently on our business. If there are too many shoppers on Instacart, there may be an insufficient number of customers placing orders to keep shoppers occupied, engaged, and satisfied with their earnings potential on Instacart. If we are unable to attract shoppers on favorable terms or increase utilization of Instacart by existing shoppers, if we lose shoppers on Instacart, or if shoppers determine it is no longer economically worthwhile to provide services on Instacart due to factors that may be beyond our control, including the costs of gasoline, vehicles, or insurance, changes in consumer behaviors in grocery shopping, actual or perceived economic advantages of providing services with other companies that engage independent contractors, including our competitors, our growth objectives and our business and prospects could be seriously harmed. The number of shoppers on Instacart could decline or fluctuate as a result of a number of factors, including shoppers choosing not to provide their services through Instacart as a result of being dissatisfied with their earnings potential, our pay model or changes to our pay model, changes to the terms of our independent contractor agreement, shopper incentives, our retail partners, having a poor experience on Instacart, or deciding to pursue other work opportunities. For example, shoppers may prefer to provide services through other companies that engage independent contractors if these companies provide benefits such as insurance or portable benefit accounts, or if shoppers simply prefer other app-based work opportunities, such as passenger transportation or restaurant delivery, for non-economic reasons. Many shoppers provide services part-time and have other independent contracting work or employment. Factors outside of our control, including macroeconomic factors, and improvements in labor markets, may cause shoppers to cease providing services on Instacart and become employees elsewhere. Shopper dissatisfaction has in the past resulted in shopper protests, coordinated shopper work stoppages, shoppers choosing not to provide their services through Instacart, and negative press. Any protests, work stoppages or refusals to provide services may result in interruptions to our business or negative publicity and may otherwise harm our business and reputation. While we have implemented strategic initiatives and commitments to bolster our reputation with shoppers in the past, and intend to continue implementing such initiatives and commitments in the future, there can be no assurance that these will be effective to retain shoppers and maintain or improve our reputation with shoppers. From time to time, we have experienced, and expect to continue to experience, shopper shortages, often due to factors that are not within our control and which may be difficult to predict. Shoppers have significant flexibility regarding the in-store tasks they want to perform, including when, where, and how they wish to shop. Shoppers may also provide services on other app-based platforms. To the extent that we experience shopper shortages, we may need to provide or increase incentives to shoppers in order to attract them to Instacart, which would negatively impact our financial results. Our expectations and predictions for shopper needs and preferences may also be inaccurate or incomplete, including due to a lack of historical data for our current scale and scope of operations or due to consumer demand surges that can arise due to factors outside of our control, such as inclement weather. Under these circumstances, we may not be able to attract enough shoppers to fulfill orders in a timely manner even with shopper incentives. Consequently, if shopper shortages lead to the inability of customers to place orders through Instacart or to delayed or incorrect orders, we may lose customers to other online grocery platforms or to other modes of shopping, particularly customers in certain demographic groups who have historically been less prevalent users of Instacart and are more difficult to engage or retain, which would harm our growth, profitability, and results of operations. Finally, the loss of customer orders due to a lack of shoppers to fulfill them or due to incorrect order fulfillment may reduce the perceived value of our offerings to retailers, who may in turn leave Instacart. In addition, authorities have passed laws or adopted regulations, and may continue to do so in the future, requiring shoppers in the applicable jurisdiction to undergo a materially different type of qualification, training, licensure, screening, or background check process, which could be costly and time-consuming. These laws have also in the past imposed and may in the future impose requirements forcing us to fix minimum levels of compensation and provide certain benefits for shoppers, disclose additional details about orders, prices, and shopper earnings, and handle shopper account deactivation in a prescribed manner, which could force us to create new administrative processes and negatively affect our ability to attract and retain retailers, customers, or shoppers, as well as require us to share competitively sensitive information that may cause harm to our business. Court decisions interpreting or otherwise affecting such laws regarding shopper classification or shopper pay and benefits, or interpretations by agencies of the applicability of a retailer or brand collective bargaining agreement to certain tasks shoppers perform, may also negatively affect our ability to attract and retain retailers, customers, or shoppers. Even if some or all of such changes are ultimately not costly or time-consuming, they could reduce the number of shoppers in those markets or extend the time required to recruit new shoppers to Instacart, which could adversely impact our growth, business, and results of operations. Often, we are forced to balance tradeoffs between the satisfaction of various constituents on Instacart, as a change that one category views as positive may be viewed as negative to another category. For example, we take certain measures that are designed to protect against fraud, help increase safety, and prevent privacy and security breaches, such as imposing certain qualifications for shoppers and terminating access to Instacart for shoppers with reported incidents, that may be popular with consumers but may also damage our relationships with shoppers or discourage or diminish their use of Instacart. Certain measures we take to incentivize shoppers, such as smaller windows for reducing tips after an order is complete, may be popular with shoppers but may also be viewed negatively by consumers who wish to have more flexibility over tipping. Further, increased shopper flexibility in when, where, and how to shop may result in shopper shortages during periods of peak demand, which may cause frustration with retailers and customers. If we do not adequately balance the tradeoffs among the various constituents on Instacart and continuously assess such tradeoffs in the context of prevailing market and competitive factors, our business may be harmed.

As part of our normal business activities, we collect, use, store, share, transmit, and otherwise process sensitive, proprietary, and confidential information, including personal information of retailers, customers, brands, shoppers, employees, and others. These activities are regulated by a variety of federal, state, local, and foreign privacy, data security, and data protection laws, regulations, and industry standards, which have become increasingly stringent in recent years. In addition, existing laws and regulations are complex and constantly evolving, and new laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally which could further restrict certain uses of the personal information of retailers, customers, brands, shoppers, employees, and others. We are, and may increasingly become, subject to various laws, regulations, and standards, and are subject to certain contractual obligations, industry standards, codes of conduct, and regulatory guidance relating to privacy, data security, and data protection in the jurisdictions in which we operate. Our efforts to comply with such obligations may not be successful. In the United States, there are numerous federal and state privacy and data security laws, rules, and regulations governing the collection, use, storage, sharing, transmission, and other processing of personal information, including federal and state privacy laws, data security laws, data breach notification laws, consumer protection laws, and other similar laws (e.g., wiretapping laws). For example, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM") and the Telephone Consumer Protection Act of 1991 ("TCPA") impose specific requirements on communications with customers. In addition, many state legislatures have enacted comprehensive privacy laws that impose certain obligations on covered businesses, including providing specific disclosures in privacy notices and affording residents with certain rights concerning their personal data. As applicable, such rights may include the right to access, correct, or delete certain personal data, and to opt-out of certain data processing activities, such as targeted advertising, profiling, and automated decision-making. The exercise of these rights has and may continue to impact our business and ability to provide our products and services. Certain states also impose stricter requirements for processing certain personal data, including sensitive information, such as conducting data privacy impact assessments. These state laws allow for statutory fines for noncompliance. For example, the CCPA applies to personal data of consumers, business representatives, and employees who are California residents, and requires businesses to provide specific disclosures in privacy notices and honor requests of such individuals to exercise certain privacy rights. The CCPA provides for fines and allows private litigants affected by certain data breaches to recover significant statutory damages. The CCPA and other comprehensive U.S. state privacy laws have and may continue to further complicate compliance efforts, and increase legal risk and compliance costs for us and the third parties with whom we work. For example, our marketing initiatives and Instacart Ads offerings could be further adversely affected, and additional investment in compliance may be required. Similar laws are being considered in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States, and we expect additional investment in compliance to be required. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging and expose us to additional liability. We are also subject to certain health information privacy and security laws. A number of state legislatures have adopted legislation that regulates how businesses may use consumers' health data. For example, the Washington My Health My Data Act creates restrictions on the use of consumer health data for purposes such as marketing and advertising. As a result, our marketing initiatives and Instacart Ads and Instacart Health offerings could be further limited and we have incurred and expect to continue incurring additional compliance expenses. We are also subject to additional health information privacy and security laws as a result of the limited amount of health information that we receive in connection with the prescription delivery services that we provide on behalf of pharmacy retailers. These laws and regulations include HIPAA, which establishes privacy, security, and breach notification standards for protected health information processed by health plans, healthcare clearinghouses, and certain healthcare providers, collectively referred to as covered entities, and the business associates with whom such covered entities contract for services, as well as their covered subcontractors. We are regulated as a "business associate" of certain covered entity pharmacy retailers and must comply with HIPAA as applicable to business associates. We maintain a HIPAA compliance program, but it is not always possible to identify and deter misuse by our employees and other third parties, and the precautions we take to detect and prevent noncompliance may not be effective in preventing all misuse, breaches, or violations. Violations of HIPAA may result in significant administrative, civil, and criminal penalties. State attorneys general also have the right to prosecute HIPAA violations committed against residents of their states. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for a HIPAA violation, its standards have been used as the basis for the duty of care in state civil suits, such as those for negligence or recklessness in misusing personal information. Many states in which we operate and in which our customers reside also have laws that protect the privacy and security of health information, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. Failure to comply with such state laws may also subject us to significant penalties. As we expand our Instacart Health offering, we anticipate that the risk associated with HIPAA compliance will increase and that we may be required to make significant investments in order to build compliant product offerings in the health space. Some U.S. states and the FTC have also adopted privacy laws or issued guidance limiting the collection and use of certain health information that may extend to our customers' interactions with certain over-the-counter health products. Federal, state, and local privacy and consumer protection laws also govern specific technologies that we employ. For example, the Telephone Consumer Protection Act ("TCPA"), imposes significant restrictions on sending text messages or making telephone calls to mobile telephone numbers without the prior consent of the person being contacted. We also use identity verification technologies that may subject us to state and local biometric privacy laws. For example, the Illinois Biometric Information Privacy Act ("BIPA"), regulates the collection, use, safeguarding, and storage of biometric information. The TCPA and BIPA provide for substantial penalties and statutory damages and have generated significant class action activity. The cost of litigating and settling claims that we have violated the TCPA, BIPA, or similar laws could be significant. Foreign privacy laws are also undergoing a period of rapid change, have become more stringent in recent years, and may increase the costs and complexity of offering our offerings in new geographies. In Canada, where we operate, the Personal Information Protection and Electronic Documents Act ("PIPEDA"), and various provincial laws require that companies give detailed privacy notices to consumers, obtain consent to use personal information, with limited exceptions, allow individuals to access and correct their personal information, and report certain data breaches. In addition, Canada's Anti-Spam Legislation ("CASL"), prohibits email marketing without the recipient's consent, with limited exceptions. Failure to comply with PIPEDA, CASL, or provincial privacy or data protection laws could result in significant fines and penalties or possible damage awards. The Canadian province of Quebec also passed a comprehensive privacy law that grants individuals extensive rights with respect to their personal information, including the right to consent to certain marketing and advertising practices. In addition, certain of our subsidiaries have immaterial operations in China, Australia,and Mexico and are subject to, respectively, China's Personal Information Protection Law, Australia's Privacy Act 1988 and Spam Act 2003, and Mexico's Federal Law for the Protection of Personal Data Held by Private Parties. These laws impose a number of requirements on our processing of personal information and direct marketing activities that may increase our compliance costs and risk of facing regulatory enforcement action. Certain of our subsidiaries are subject to the United Kingdom General Data Protection Regulation ("UK GDPR") and to the European Union's General Data Protection Regulation ("GDPR"). Future expansion of our business, operations, or service offerings to the European Economic Area ("EEA"), will increase our exposure to data protection laws in the region, including the GDPR. The GDPR and UK GDPR impose strict requirements for processing personal data of individuals, give individuals extensive rights with respect to their personal data, and carry penalties for violations of up to the greater of EUR 20 million or 4% of total global annual turnover in the European Union, and up to the greater of GBP 17.5 million or 4% total global annual turnover in the United Kingdom. Companies that violate the GDPR or UK GDPR may also face prohibitions on data processing and other corrective action, as well as private litigation brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests. Europe, the United Kingdom, and other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the EEA and the United Kingdom have significantly restricted the transfer of personal data to the United States and other countries whose privacy laws they believe are inadequate. Other jurisdictions have in the past and may continue to adopt similarly stringent data localization and cross-border data transfer laws. Although there are currently various mechanisms that may be used to transfer personal data from the EEA and United Kingdom to the United States in compliance with law, such as the EEA's and UK's standard contractual clauses, certain of these mechanisms are subject to legal challenges, and there is no assurance that we can satisfy or rely on these measures to lawfully transfer personal data to the United States. If there is no lawful manner for us to transfer personal data from the EEA, the United Kingdom, or other jurisdictions to the United States, or if the requirements for a legally-compliant transfer are too onerous, we could face significant adverse consequences, including the interruption or degradation of our operations, the need to relocate part of or all of our business or data processing activities to other jurisdictions at significant expense, increased exposure to regulatory actions, substantial fines and penalties, injunctions against our processing or transferring personal data necessary to operate our business, the inability to transfer data and work with partners, vendors and other third parties, and our ability to expand our business to the EEA, United Kingdom, or other countries with similar cross-border data transfer restrictions may be limited. Additionally, companies that transfer personal data out of the EEA and United Kingdom to other jurisdictions, particularly to the United States, are subject to increased scrutiny from regulators, individual litigants, and activist groups. Some European regulators have ordered certain companies to suspend or permanently cease certain transfers out of Europe for allegedly violating the GDPR's cross-border data transfer limitations. We also publish privacy policies and other statements regarding data privacy, artificial intelligence, and security. Regulators in the United States have scrutinized and are increasingly scrutinizing these statements, and if these policies or statements are found to be deficient, lacking in transparency, deceptive, unfair, or misrepresentative of our practices, we may be subject to investigation, enforcement actions by regulators, or other adverse consequences. Other data protection laws in the EEA and the United Kingdom, such as those implementing the ePrivacy Directive, restrict the use of cookies and similar technologies on which our website, mobile app, and Instacart Ads offerings rely, including to facilitate online behavioral advertising. Regulators are increasingly focused on compliance with requirements in the online behavioral advertising ecosystem, and current national laws implementing the ePrivacy Directive are likely to be replaced in the European Union by a regulation known as the ePrivacy Regulation, which will significantly increase fines for non-compliance to GDPR-level fines. Other countries outside of Europe increasingly emulate European data protection laws. As a result, operating our business or offering our services in Europe or other countries with similar data protection laws would subject us to substantial compliance costs and potential liability and may require changes to the ways we collect and use personal information. Governments and regulators in certain jurisdictions, including Europe, are increasingly seeking to regulate the use, transfer, and other processing of non-personal information (for example, under the European Union's Data Act). This means that, if and to the extent such regulations are relevant to our operations or those of our customers, certain of the risks and considerations outlined above may apply equally to our processing of both personal and non-personal data. In addition, major technology platforms on which we rely, privacy advocates, and industry groups have regularly proposed, and may propose in the future, platform requirements or self-regulatory standards by which we are legally or contractually bound. If we fail to comply with these contractual obligations or standards, we may lose access to technology platforms on which we rely and face substantial regulatory enforcement, liability, and fines. For example, Apple requires mobile applications using its operating system, iOS, to affirmatively obtain an end user's permission for cross-contextual advertising. Other technology platforms are considering similar restrictions. Such restrictions could limit the efficacy of our marketing activities and our Instacart Ads offerings. In addition to existing privacy-related laws, platform requirements, and binding self-regulatory standards, certain legislative proposals and draft regulations seek to further regulate targeted advertising activities, and regulators are increasingly scrutinizing the use of online tracking tools and compliance with requirements related to the online behavioral advertising ecosystem. As a result, we may be required to develop alternative solutions to support our marketing initiatives and/or change the way we deliver our Instacart Ads offerings. In addition, consumer resistance to the collection and sharing of the data used to deliver targeted advertising, increased visibility of consent or requirements to respond to "do not track" mechanisms (such as browser signals from the Global Privacy Control) as a result of regulatory or legal developments, the adoption by consumers of browser settings or "ad-blocking" software, and the development and deployment of new technologies could materially impact our ability to collect and use data or reduce our ability to deliver relevant promotions or media, which could materially impair the results of our operations. Further, our business relies significantly on our ability to accept credit or debit card payments, including payments made using our co-branded credit card. Such payments are subject to the Payment Card Industry ("PCI"), Data Security Standard. We rely on vendors to handle PCI matters and to ensure PCI compliance. Despite our compliance efforts, we may become subject to claims that we have violated the PCI Data Security Standard, based on past, present, and future business practices. In addition, payment card networks may adopt changes to the PCI Data Security Standard, or change their interpretations of such rules in a way that we or our processors might find it difficult or even impossible to follow, or costly to implement. If we violate the PCI Data Security Standard or other applicable rules, we may incur fines or restrictions on our ability to accept payment cards or suffer reputational harm, all of which could have an adverse impact on our business. Despite our efforts, we may not be successful in achieving compliance with the rapidly evolving privacy, data security, and data protection requirements discussed above. Any actual or perceived non-compliance, by us or the third parties upon whom we rely, could result in litigation and proceedings against us by governmental entities, customers, or others (including class action claims or mass arbitration demands), expenditure of time and resources to defend any claim or inquiry, fines and civil or criminal penalties, limited ability or inability to operate our business, offer services, or market our offerings in certain jurisdictions, negative publicity and harm to our brand and reputation, reduced overall demand for our offerings, or substantial changes to our business model or operations. Such occurrences could adversely affect our business, financial condition, and results of operations.

We have in the past been, are currently, and may in the future become, involved in claims, lawsuits, arbitration proceedings, administrative actions, government investigations, and other legal and regulatory proceedings. We are subject to investigations and legal proceedings relating to various matters including whether we fulfilled our contractual obligations to or improperly withheld pay or tips from shoppers, whether we adequately protected the public's or shoppers' health and safety, whether we properly provide protected leave, whether we properly paid sales tax, whether we properly implemented our service fees, whether we improperly conduct background checks of shoppers, and whether we are responsible for injury resulting from alleged shopper actions or negligence. We are also subject to investigations and legal proceedings involving bodily injury and property damage, labor and employment, anti-discrimination claims, commercial and contract disputes, unfair competition, consumer protection regulations, including fees and pricing and related disclosures and automatic renewal laws, intellectual property, transactions involving our securities, privacy, data security, and data protection, environmental laws and regulations, health and safety, weights and measures, compliance with regulatory requirements, and other matters. For example, we are currently subject to a securities class action lawsuit in federal court alleging federal securities law violations in connection with our IPO. See the section titled "Legal Proceedings" for more information. The results of any such litigation, investigations, and legal proceedings are inherently unpredictable and expensive. The frequency of such claims could increase in proportion to the number of retailers, customers, brands, and shoppers that use Instacart. Any claims against us, whether meritorious or not, could be costly and harmful to our reputation, and could require significant amounts of management time and corporate resources. If any of these legal proceedings were to be determined adversely to us, or we enter into a settlement arrangement, which we have done in the past, we could be exposed to monetary damages or be forced to change the way in which we operate our business or remove valuable features or content from our platform, which could have an adverse effect on our business, financial condition, and results of operations. Moreover, we cannot be certain that our insurance coverage will be adequate for any claims or liabilities against us, that insurance will continue to be available to us on commercially reasonable terms or at all, or that any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have an adverse effect on our reputation, brand, business, financial condition, and results of operations. We also face potential liability and expense for claims relating to the information that we publish on our mobile apps or website, including claims for trademark and copyright infringement, false advertising, consumer protection, defamation, libel, and negligence, among others. In addition, we regularly include arbitration provisions in our terms of service with customers and shoppers. These provisions are intended to streamline the litigation process for all parties involved, as arbitration can in some cases be faster and less costly than litigating disputes in state or federal court. However, arbitration may become more costly for us, or the volume of arbitrations may increase and become burdensome. Further, the use of arbitration provisions may subject us to certain risks to our reputation and brand, as these provisions have been the subject of increasing public scrutiny. To minimize these risks, we may voluntarily limit our use of arbitration provisions, or we may be required to do so, in any legal or regulatory proceeding, either of which could increase our litigation costs and exposure in respect of such proceedings. Further, with the potential for conflicting rules, new or upcoming rules or changes in the interpretation of such rules regarding the scope and enforceability of arbitration on a state-by-state basis, conflicting rules between state and federal law, some or all of our arbitration provisions could be subject to challenge or may need to be to exempt certain categories of protection. For example, some plaintiffs' attorneys have argued that certain shoppers are workers "in interstate commerce" and are thus exempt from the Federal Arbitration Act, and it remains possible that a court could find our agreements unenforceable against those shoppers. If our arbitration agreements were found to be unenforceable, in whole or in part, or specific claims were required to be exempted from arbitration, we could experience an increase in our litigation costs and the time involved in resolving such disputes, and we could face increased exposure to potentially costly lawsuits, each of which could adversely affect our business, financial condition, and results of operations.

The tax laws to which we are subject or under which we operate are unsettled and may be subject to significant change. The issuance of additional guidance related to existing or future tax laws, or changes to tax laws or regulations proposed or implemented by the current or a future U.S. presidential administration, Congress, or taxing authorities in other jurisdictions, including jurisdictions outside of the United States, could materially affect our tax obligations and effective tax rate. Such changes have had and, along with any related uncertainty generated by these changes, may in the future have adverse impacts on our business, financial condition, results of operations, and cash flows. The amount of taxes we pay in different jurisdictions depends on the application of the tax laws of various jurisdictions, including the United States, to our international business activities, tax rates, new or revised tax laws, or interpretations of tax laws and policies, and our ability to operate our business in a manner consistent with our corporate structure and intercompany arrangements. The taxing authorities of the jurisdictions in which we operate may challenge our methodologies for pricing intercompany transactions pursuant to our intercompany arrangements or disagree with our determinations as to the income and expenses attributable to specific jurisdictions. If such a challenge or disagreement were to occur, and our position was not sustained, we could be required to pay additional taxes, interest, and penalties, which could result in one-time tax charges, higher effective tax rates, reduced cash flows, and lower overall profitability of our operations. Our financial statements could fail to reflect adequate reserves to cover such a contingency. Similarly, a taxing authority could assert that we are subject to tax in a jurisdiction where we believe we have not established a taxable connection, often referred to as a "permanent establishment" under international tax treaties, and such an assertion, if successful, could increase our expected tax liability in one or more jurisdictions. In addition, the Organization for Economic Cooperation and Development ("OECD") has published proposals covering a number of issues, including country-by-country reporting, permanent establishment rules, transfer pricing rules, tax treaties and taxation of the digital economy. While substantial work remains to be completed by the OECD and national governments on the implementation of these proposals, future tax reform resulting from these developments may result in changes to long-standing tax principles, which could adversely affect our effective tax rate or result in higher cash tax liabilities.

We have in the past been, are currently in, and may in the future become subject to intellectual property disputes. Our success depends, in part, on our ability to develop and commercialize our offerings without infringing, misappropriating, or otherwise violating the intellectual property rights of third parties. However, we may not be aware that our offerings are infringing, misappropriating, or otherwise violating third-party intellectual property rights, and such third parties may bring claims alleging such infringement, misappropriation, or violation. For example, we rely on a combination of third-party intellectual property licenses and the fair use doctrine when we refer to third-party intellectual property, such as brand names and product images, on Instacart. Third parties may dispute the scope of those rights or the applicability of the fair-use doctrine or otherwise challenge our ability to reference their intellectual property in the course of our business. From time to time, we are contacted by companies controlling brands of products that are sold by retailers, demanding that we cease referencing those brands or take down product images on Instacart. Additionally, companies in the internet and technology industries, and other patent holders, including "non-practicing entities," seeking to profit from royalties in connection with grants of licenses or seeking to obtain injunctions, own large numbers of patents and other intellectual property and frequently enter into litigation based on allegations of infringement or other violations of intellectual property rights. To reduce the risk of adverse outcomes in intellectual property disputes, we may need to establish new intellectual property agreements or renew existing licenses. However, this strategy of cross-licensing our patent portfolio with third parties in order to settle infringement claims brought against us may not be appropriate in the future and is not effective against certain patent owners, such as non-practicing entities. Other parties have asserted, and in the future may assert, that we have infringed their intellectual property rights. Any claims of intellectual property infringement, even those without merit, could be time consuming and costly to defend, cause us to cease using or incorporating the asserted intellectual property rights, divert management's attention and resources, and expose us to other legal liabilities, such as indemnification obligations. We could be required to pay substantial damages or cease using intellectual property or technology that is deemed infringing or be required to enter into royalty or licensing agreements to obtain the right to use a third party's intellectual property. Any such royalty or licensing agreements may not be available to us on acceptable terms or at all. Additionally, a successful claim of infringement against us could result in us being required to pay significant damages or enter into costly license or royalty agreements, either of which could have an adverse impact on our business. The technology industry is characterized by the existence of a large number of patents, copyrights, trademarks, trade secrets, and other intellectual and proprietary rights. Companies in the technology industry are often required to defend against litigation claims based on allegations of infringement, misappropriation, or other violations of intellectual property rights. Our technologies may not be able to withstand any third-party claims against their use. In addition, some companies have the capability to dedicate substantially greater resources to enforce their intellectual property rights and to defend claims that may be brought against them. Relative to certain of our competitors, we do not currently have a large patent portfolio, and our relative patent portfolio size may reduce the deterrence value of our portfolio against patent infringement claims brought by competitors or other entities with larger portfolios. Our competitors and others may now and in the future have significantly larger and more mature patent portfolios than we have. If a third party is able to obtain an injunction preventing us from accessing such third-party intellectual property rights, or if we cannot license or develop alternative technology for any potentially infringing aspect of our business, we could be forced to rebrand our offerings, limit, or stop sales of our offerings and technology capabilities, or cease business activities related to such intellectual property. Although we carry general liability insurance, our insurance may not cover potential claims of this type or may not be adequate to indemnify us for all liability that may be imposed. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not have an adverse effect on our business, financial condition, or results of operations. Any intellectual property litigation to which we might become a party, or for which we are required to provide indemnification, may require us to do one or more of the following: - cease selling or using offerings that incorporate the intellectual property rights that we allegedly infringe, misappropriate, or violate;- make substantial payments for legal fees, settlement payments, or other costs or damages;- obtain a license, which may not be available on reasonable terms or at all, to sell or use the relevant technology; or - redesign the allegedly infringing offerings to avoid infringement, misappropriation, or violation, which could be costly, time-consuming, or impossible. Even if the claims do not result in litigation or are resolved in our favor, these claims, and the time and resources necessary to resolve them, could divert the resources of our management and harm our business and results of operations. Moreover, there could be public announcements of the results of hearings, motions, or other interim proceedings or developments and if securities analysts or investors perceive these results to be negative, it could have a substantial adverse effect on the price of our common stock. We expect that the occurrence of infringement claims is likely to grow as the market for Instacart and our offerings grows. Accordingly, our exposure to damages resulting from infringement claims could increase, and this could further exhaust our financial and management resources.

We depend in part on mobile operating systems, such as Android and iOS, and their respective app marketplaces to make Instacart available to retailers, customers, brands, and shoppers. Any changes in such systems and app marketplaces that degrade the functionality of our apps or give preferential treatment to our competitors' apps could adversely affect Instacart's usage on mobile devices. If such mobile operating systems or app marketplaces limit or prohibit us from making our apps available to retailers, customers, brands, or shoppers, make changes that degrade the functionality of our apps, change the way we collect or use data, increase the cost of using our apps, impose terms of use unsatisfactory to us, alter how we collect fees, increase our compliance costs, impair or inhibit our ability to enter into partnerships or effectively market partnerships, or modify their search or ratings algorithms in ways that are detrimental to us, or if our competitors' placement in such mobile operating systems' app marketplace is more prominent than the placement of our apps, our growth could slow. Our apps have experienced fluctuations in placement in the past, and we anticipate similar fluctuations in the future. Additionally, we are subject to requirements imposed by app marketplaces such as those operated by Apple and Google, who have and may further change their technical requirements or policies in a manner that adversely impacts the way in which we collect, use and share data from users. For example, Apple requires mobile applications using its iOS mobile operating system to obtain a user's permission to track them or access their device's advertising identifier for certain purposes. The long-term impact of these and any other changes remains uncertain. If we do not comply with applicable requirements imposed by app marketplaces, we could lose access to the app marketplaces and users, and our business would be harmed. Any of the foregoing risks could adversely affect our business, financial condition, and results of operations. As new mobile devices and mobile platforms are released, there is no guarantee that certain mobile devices will continue to support our apps or that we can effectively roll out updates to our app. Additionally, in order to deliver high-quality apps, we need to ensure that Instacart is designed to work effectively with a range of mobile technologies, systems, networks, and standards. If retailers, customers, brands, or shoppers that utilize Instacart encounter any difficulty accessing or using our apps on their mobile devices or if we are unable to adapt to changes in popular mobile operating systems, we expect that our growth and engagement would be adversely affected.

Our success and future growth depend largely upon the continued services of our management team. From time to time, there have been and may continue to be changes in our executive management team resulting from the hiring or departure of these personnel, due to voluntary termination of employment, illness, death, disability, or otherwise. Our executive officers are employed on an at-will basis, which means they may terminate their employment with us at any time. The loss of one or more of our executive officers, including due to a leave of absence for medical reasons or otherwise, or the failure by our executive team to effectively work together or with our employees and lead our company, could harm our business. We also are dependent on the continued service of our existing software engineers because of the complexity of our offering capabilities. We do not maintain key man life insurance with respect to any member of management or other employee. In addition, our future success will depend, in part, upon our continued ability to identify and hire skilled personnel with the skills and technical knowledge that we require, including engineering, software design and programming, marketing, sales, and other key personnel, and our business plans and growth may depend on hiring a significant number of additional employees. Such efforts will require significant time, expense, and attention as there is intense competition for such individuals, and new hires require significant training and time before they achieve full productivity, particularly in new sales segments and territories. In addition to hiring new employees, we must continue to focus on developing, motivating, and retaining our best employees, most of whom are at-will employees. If we fail to identify, recruit, and integrate strategic personnel hires, our business, financial condition, and results of operations could be adversely affected. Additionally, the failure to continue hiring new, or the loss of any significant number of our existing engineering personnel could harm our business, financial condition, and results of operations. These risks pertaining to the recruitment, retention, development, motivation, and productivity of our employees may persist or be heightened as a result of any workforce restructuring, and as our workforce becomes increasingly distributed as a result of our Flex First workforce model. We may need to invest significant amounts of cash and equity to attract and retain new employees, and we may never realize returns on these investments. If we hire employees from competitors or other companies, their former employers may attempt to assert that these employees or we have breached various legal obligations, resulting in a diversion of our time and resources. In addition, prospective and existing employees often consider the value of the equity awards they receive in connection with their employment. If the perceived value of our equity awards declines or experiences significant volatility (including as valuations of companies comparable to us decline due to overall market trends, inflation, and related market effects or otherwise), or increases such that prospective employees believe there is limited upside to the value of our equity awards, it may adversely affect our ability to recruit and retain key employees or result in us granting additional equity awards, which would result in additional stock-based compensation expense and further dilution to our stockholders. If we are not able to effectively add and retain employees, our ability to achieve our strategic objectives will be adversely impacted, and our business and future growth prospects will be harmed.

Operating our business and platform involves the collection, use, storage, transmission, and other processing of sensitive, proprietary, and confidential information, including personal information of customers, shoppers, and personnel, our proprietary and confidential information, and the confidential information of partners including retailers and brands. Security incidents compromising the confidentiality, integrity, or availability of this information or our IT systems or data (or those of third parties upon which we rely or otherwise engage with), or disrupting our ability (or that of third parties with whom we work) to provide our offerings, products, and/or services, could materially impact our business and results of operations. We face evolving cybersecurity threats and threat actors including but not limited to state-sponsored and advanced persistent threat actors, malicious code and malware (such as viruses, worms and ransomware), social engineering (including deep fakes, which may be increasingly difficult to identify as fake, and phishing), denial-of-service attacks, credential harvesting, credential stuffing, supply-chain attacks, server malfunctions, software or hardware failures, security bugs, vulnerabilities or misconfigurations in the software or systems on which we rely, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, floods, and other similar threats. In addition, malfeasance, error, theft, or misuse by our own personnel or the personnel of our strategic partners, our collaborators, or the third-party service providers with which we engage, of our intellectual property, financial data, or employee, retailer, customer, brand, or shopper data, could adversely affect our business and results of operations, particularly if such information is provided to or accessed by a competitor. We rely on a number of third parties to operate our critical business systems and to process confidential and personal information, such as the payment processors that process customer credit card payments, cloud service providers, and employee and customer service centers, including those located in other countries. Our ability to require, monitor and enforce these third parties' information security practices is limited. Because third parties provide operational support to our business and process confidential and personal information on our behalf, we could experience materially adverse consequences as a result of cyberattacks or incidents experienced by those third parties. Third party and supply chain attacks have increased in frequency and severity and we cannot guarantee that the security of our service providers or any of their partners has not been materially compromised. We also cannot be certain that our contracts with these third parties will allow us to obtain indemnification or recovery from them for data security-related liability that they cause us to incur. Threat actors, nation-states, and nation-state-supported actors now engage, and are expected to continue to engage, in cyber-attacks, including for geopolitical reasons and in connection with military conflicts and operations. Due to the current geopolitical environment, we and the third parties upon which we rely are at heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell, and distribute our goods and services. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to significant interruptions in our operations, loss of sensitive data and income, reputational harm, and diversion of funds. In addition, remote work has increased risks to our information technology systems and data, as our employees utilize network connections, computers, and devices outside our premises or network, including working at home, while in transit, and in public locations. For example, technologies in our employees' and service providers' homes are often not as robust as in our offices and could cause the networks, information systems, applications, and other tools available to employees and service providers to be more limited or less reliable than in our offices. Further, the security systems in place at our employees' and service providers' homes, or other remote work locations, may be less secure than those used in our offices. There is no guarantee that the privacy, data security, and data protection safeguards we or our service providers have put in place will be comprehensive, or completely implemented, complied with, or effective. Additionally, future and past business transactions with other parties (such as acquisitions, strategic partnerships, collaborations, or integrations) have exposed us to additional cybersecurity risks and vulnerabilities associated with those parties, such as security issues that were not identified during due diligence, and difficulty or incomplete integration of their systems into our information technology environment and security program. We and certain of our third-party providers regularly experience cyberattacks and other security incidents, and we expect such attacks and incidents to continue. For example, we regularly experience credential stuffing attacks in which malicious third parties use credentials compromised in data breaches suffered by other companies or otherwise improperly obtain credentials to access shopper or customer accounts on Instacart, as well as sophisticated social engineering attacks that involve the installation of malware on our network and unauthorized access to and acquisition of information. It is increasingly difficult and costly to detect, investigate, mitigate, contain, and remediate a security incident. Actions taken by us or the third parties with whom we work to detect, investigate, mitigate, contain, and remediate a security incident could result in outages, data losses, and disruptions of our business, which presents additional opportunities for threat actors to gain access to other networks and systems. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We are unable to comprehensively apply patches or confirm that measures are in place to mitigate all such vulnerabilities, or that patches will be applied before vulnerabilities are exploited, resulting in a security incident. While we have implemented security measures designed to protect against security incidents, we or the third parties we work with cannot anticipate, or implement adequate preventative measures to address all cybercrime and hacking techniques (including the use of artificial intelligence) used by threat actors, including those that are designed to circumvent controls, avoid detection, and remove or obfuscate forensic artifacts. Cyberattacks and incidents may result in any or all of the following that could independently or in the aggregate cause a material adverse impact to our business, financial condition, and results of operations: loss of customer confidence in the security of Instacart and damage to our brand, reduced demand for our offerings, serious disruption of normal business operations, material diversion of resources to investigate and remediate incidents, exposure to legal liability, including through litigation (such as class actions), regulatory enforcement, and indemnity obligations. Further, applicable privacy, data security, and data protection obligations may require us to notify relevant stakeholders of certain security incidents, including affected individuals, customers, regulators, and investors, or to take other actions, such as providing credit monitoring and identity theft protection services. Such disclosures are costly, and the disclosure or the failure to comply with such requirements could lead to adverse consequences, including potential statutory damages under laws such as the California Consumer Privacy Act ("CCPA"). We have expended and may in the future expend significant resources or modify our business activities to try to protect against security incidents. Certain data privacy and security obligations have required us to implement and maintain specific security measures or industry-standard or reasonable security measures to protect our information technology systems and sensitive information. These risks are expected to increase as we continue to grow and process, store, and transmit increasingly large amounts of data. Our contracts may not contain limitations of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our privacy, data security, and data protection obligations. We cannot be sure that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our privacy,data security, and data protection practices, that such coverage will continue to be available on commercially reasonable terms or at all, or that such coverage will pay future claims.