Grove Collaborative Holdings (GROV) Risk Factors

We have a limited history introducing new products and services to our customers. New potential products and services may fail at any stage of development or commercialization, including after launch, and if we determine that any of our current or future products are unlikely to succeed, we may abandon them without any return on our investment. In addition, any unsuccessful effort may adversely affect our brand and reputation. If our efforts to attract new customers and engage existing customers with new and enhanced products are unsuccessful or if such efforts are more costly than we expect, our business may be harmed and our potential for growth may be impaired.

We rely on information technology networks and systems and data processing (some of which are managed by third-party service providers) to market, sell and deliver our products and services, to fulfill orders, to collect, receive, store, generate, use, transfer, disclose, make accessible, protect, secure, dispose of, share and otherwise process personal information, confidential or proprietary information, financial information and other information, to manage a variety of business processes and activities, for financial reporting purposes, to operate our business, process orders and to comply with regulatory, legal and tax requirements. These information technology networks and systems, and the processing they perform, may be susceptible to damage, disruptions or shutdowns, software or hardware vulnerabilities, security incidents, ransomware attacks, unauthorized activity and access, malicious code (such as malware, viruses and worms), acts of vandalism, employee or contractor theft, misplaced or lost data, fraud, misconduct or misuse, social engineering attacks and denial of service attacks, supply-side attacks, phishing and spear phishing attacks, organized cyberattacks, programming or human errors, failures during the process of upgrading or replacing software, databases or components, power outages, fires, natural disasters, hardware failures, telecommunication failures, user errors or catastrophic events, any of which could result in the loss or disclosure of confidential customer information or our own proprietary information, software, methodologies and business information. In addition, since the onset of the COVID-19 pandemic, our personnel are often working remotely and relying on their own equipment, which may pose additional data security risks to networks, systems and data. Any material disruption of our networks, systems or data processing activities, or those of our third-party service providers, could disrupt our ability to undertake, and cause a material adverse impact to our business, reputation and financial condition. If our information technology networks and systems or data processing (or those of our third-party service providers) suffers damage, security breaches, vulnerabilities, disruption or shutdown (including, for example, cyberattacks or other attacks on global networking infrastructure carried out by Russia following its invasion of Ukraine in February 2022), and we do not effectively resolve the issues in a timely manner, we could experience a material adverse impact to our business, reputation and financial condition. Our DTC and ecommerce operations are critical to our business and our financial performance. Our website serves as an effective extension of our marketing strategies by exposing potential new consumers to our brand, product offerings and enhanced content. Due to the importance of our website and DTC operations, any material disruption of our networks, systems or data processing activities related to our websites and DTC operations could reduce DTC sales and financial performance, damage our brand's reputation and materially adversely impact our business. The recovery systems, security protocols, network protection mechanisms and other security measures that we have integrated into our systems, networks and physical facilities, which are designed to protect against, detect and minimize security breaches, may not be adequate to prevent or detect service interruption, system failure data loss or theft, or other material adverse consequences. We and our third-party service providers regularly defend against and respond to cybersecurity incidents. No security solution, strategy, or measures can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident, and our incident response procedures may be inadequate to fully contain, mitigate, or remediate a data security incident. Moreover, notwithstanding any contractual rights or remedies we may have, because we do not control our third-party service providers, including their security measures and their processing of data, we cannot ensure the integrity or security of measures they take to protect customer information and prevent data loss. The risk of unauthorized circumvention of our security measures or those of our third-party providers, has been heightened by the increased use of the Internet and telecommunications technologies (including mobile and other connected devices) to conduct financial and other business transactions, advances in computer and software capabilities and the increasing sophistication of hackers who employ complex techniques, including without limitation, the theft or misuse of personal and financial information, counterfeiting, "phishing" or social engineering incidents, ransomware, extortion, publicly announcing security breaches, account takeover attacks, denial or degradation of service attacks, malware, fraudulent payment and identity theft. Because the techniques used by hackers change frequently, we may be unable to anticipate these techniques or implement adequate preventive measures. Our applications, systems, networks, software and physical facilities could have material vulnerabilities, be breached, or personal or confidential information could be otherwise compromised due to employee error or malfeasance, such as where third parties fraudulently induce our personnel or our consumers to disclose information or user names and/or passwords, or otherwise compromise the security of our networks, systems and/or physical facilities. Third-party criminals regularly attempt to exploit vulnerabilities in, or obtain unauthorized access to, platforms, software, applications, systems, networks, sensitive information, and/or physical facilities utilized by us or our vendors. Improper access to our systems or databases could result in the theft, publication, deletion or modification of personal information, confidential or proprietary information, financial information and other information. An actual or perceived breach of our security systems or those of our third-party service providers may require notification under applicable data privacy regulations or contractual obligations, or for consumer relations or publicity purposes, which could result in reputational harm, costly litigation (including class action litigation), material contract breaches, liability, settlement costs, loss of sales, regulatory scrutiny, actions or investigations, a loss of confidence in our business, systems and processing, a diversion of management's time and attention, and significant fines, penalties, assessments, fees and expenses. As is common in the digital world we operate in, we and our third-party service providers have experienced security incidents involving unauthorized access to our account credentials; however, all such incidents have been remediated and we are not aware of any significant impact resulting from such incidents. While we regularly defend against and respond to cybersecurity threats and attacks, our efforts to contain, mitigate and remediate a data security incident may not be successful, resulting in unexpected interruptions, delays, cessation of service, negative publicity, and other harm to our business and our competitive position. The costs to respond to a significant security breach or security vulnerability, including to provide breach notification where required, can be substantial. We may have to notify stakeholders of security breaches, which may harm our reputation and expose us to loss of consumers and business. Breach notification can lead to negative publicity, may cause our consumers to lose confidence in the effectiveness of our security measures, and could require us to expend significant capital and other resources to respond to and/or alleviate problems caused by the actual or perceived security breach. A security breach could lead to claims by our customers, or other relevant stakeholders that we have failed to comply with our legal or contractual obligations. As a result, we could be subject to legal action or our customers could end their relationships with us. There can be no assurance that any limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages. We could be required to fundamentally change our business activities and practices in response to a security breach or related regulatory actions or litigation, which could have an adverse effect on our business. We may not have, or in the future be able to obtain, adequate insurance coverage for security incidents or breaches, including fines, judgments, settlements, penalties, costs, attorney fees and other impacts that arise out of incidents or breaches. Any incidents may result in loss of, or increased costs of, our cybersecurity insurance. We also cannot ensure that our existing insurance coverage will continue to be available on acceptable terms or will be available in sufficient amounts to cover one or more large claims related to a security incident or breach, or that the insurer will not deny coverage as to any future claim. If the impact of a security incident or breach or the successful assertion of one or more large claims against us exceeds our available insurance coverage or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), it could have an adverse effect on our business, financial condition, reputation and results of operations.

We collect, store, share, use, retain, safeguard, transfer, analyze and otherwise process, and our vendors process on our behalf, personal information, confidential information and other information necessary to provide and deliver our products through our e-commerce channel to operate our business, for legal and marketing purposes, and for other business-related purposes. Collection and use of this information might raise privacy and data protection concerns, which could negatively impact our business. Data privacy and information security has become a significant issue in the United States, countries in Europe, and in many other countries. The legal and regulatory framework for privacy and security issues is rapidly evolving and is expected to increase our compliance costs and exposure to liability. There are numerous federal, state, local, and international laws, orders, codes, rules, regulations and regulatory guidance regarding privacy, information security and processing (which we collectively refer to as "Data Protection Laws"), the number and scope of which is changing, subject to differing applications and interpretations, and which may be inconsistent among jurisdictions, or in conflict with other rules, laws or obligations (which we collectively refer to as "Data Protection Obligations"). Therefore, the regulatory framework for privacy and data protection worldwide is, and is likely to remain, uncertain and complex for the foreseeable future, and our actual or perceived failure to address or comply with applicable Data Protection Laws and Data Protection Obligations could have an adverse effect on our business, financial condition, results of operations and prospects. We also expect that there will continue to be new Data Protection Laws and Data Protection Obligations, and we cannot yet determine the impact such future Data Protection Laws and Data Protection Obligations may have on our business. Any significant change to Data Protection Laws and Data Protection Obligations, including without limitation, regarding the manner in which the express or implied consent of consumers for processing is obtained, could increase our costs and require us to modify our operations, possibly in a material manner, which we may be unable to complete and may limit our ability to store and process consumer data and operate our business. We are or may also be subject to the terms of our external and internal privacy and security policies, codes, representations, certifications, industry standards, publications and frameworks (which we collectively refer to as "Privacy Policies") and contractual obligations to third parties related to privacy, information security and processing, including contractual obligations to indemnify and hold harmless third parties from the costs or consequences of non-compliance with Data Protection Laws or Data Protection Obligations. We may not be successful in achieving compliance if our employees, partners or vendors do not comply with applicable Data Protection Laws, Privacy Policies and Data Protection Obligations. If we or our vendors fail (or are perceived to have failed) to comply with applicable Data Protection Laws, Privacy Policies and Data Protection Obligations, or if our Privacy Policies are, in whole or part, found to be inaccurate, incomplete, deceptive, unfair, or misrepresentative of our actual practices, our business, financial condition, results of operations and prospects could be adversely affected. In the United States, our obligations include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the California Consumer Privacy Act (the "CCPA") and other state and federal laws relating to privacy and data security. The CCPA, requires companies that process information of California residents to make new disclosures to consumers about their data collection, use and sharing practices, allows consumers to opt out of the sale of personal information with third parties and prohibits covered businesses from discriminating against California residents (for example, charging more for services) for exercising any of their rights under the CCPA. The law also provides a private right of action and statutory damages for certain data breaches that result in the loss of personal information. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. However, it remains unclear how various provisions of the CCPA will be interpreted and enforced. Therefore, the CCPA may increase our compliance costs and potential liability. In addition, the California Privacy Rights Act of 2020 ("CPRA") significantly modifies the CCPA, and imposes additional data protection obligations on companies doing business in California, resulting in further complexity. The law, among other things, gives California residents the ability to limit the use of their sensitive information, provides for penalties for CPRA violations concerning California residents under the age of 16, and establishes a new California Privacy Protection Agency to implement and enforce the law. The effects of this legislation are potentially far-reaching and may impact our business. Some observers have noted that the CCPA could mark the beginning of a trend toward more stringent privacy legislation in the United States, which could increase our potential liability and adversely affect our business, financial condition, results of operations and prospects. Other jurisdictions in the United States have already passed or are considering laws similar to the CCPA and CPRA, with potentially greater penalties and more rigorous compliance requirements relevant to our business. Many state legislatures have already adopted legislation that regulates how businesses operate online, including measures relating to privacy, data security, data breaches and the protection of sensitive and personal information. For example, on March 2,2021, Virginia enacted the Virginia Consumer Data Protection Act (the "CDPA"), a comprehensive privacy statute that shares similarities with the CCPA, CPRA, and legislation proposed in other states. The CDPA, which became effective on January 1, 2023, has required and will require us to incur additional costs and expenses in an effort to comply with it. Colorado also has a similar law, the Colorado Privacy Act (the "CPA"), which became effective on July 1, 2023. Many other states have adopted or are currently considering proposed comprehensive data privacy legislation and all 50 states have passed at least some form of data privacy legislation (for example, all 50 states have enacted laws requiring disclosure of certain personal data breaches). At the federal level, the United States Congress is also considering various proposals for comprehensive federal data privacy legislation and, while no comprehensive federal data privacy law currently exists, we are subject to applicable existing federal laws and regulations, such as the rules and regulations promulgated under the authority of the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and security. These state statutes, and other similar state or federal laws, may require us to modify our data processing practices and policies and incur substantial compliance-related costs and expenses. We rely on a variety of marketing techniques and practices, including email and social media marketing, online targeted advertising, cookie-based processing, and postal mail to sell our products and services and to attract new consumers, and we, and our vendors, are subject to various current and future Data Protection Laws and Data Protection Obligations that govern marketing and advertising practices. Governmental authorities continue to evaluate the privacy implications inherent in the use of third-party "cookies" and other methods of online tracking for behavioral advertising and other purposes, such as by regulating the level of consumer notice and consent required before a company can employ cookies or other electronic tracking tools or the use of data gathered with such tools. Additionally, some providers of consumer devices, web browsers and application stores have implemented, or announced plans to implement, means to make it easier for Internet users to prevent the placement of cookies or to block other tracking technologies, require additional consents, or limit the ability to track user activity, which could if widely adopted result in the use of third-party cookies and other methods of online tracking becoming significantly less effective. Laws and regulations regarding the use of these cookies and other current online tracking and advertising practices or a loss in our ability to make effective use of services that employ such technologies could increase our costs of operations and limit our ability to acquire new consumers on cost-effective terms, which, in turn, could have an adverse effect on our business, financial condition, results of operations and prospects.

Our distribution centers, as well as our headquarters, are located in areas that have a history of natural disasters, including severe weather events, rendering our distribution centers vulnerable to damage. Any large-scale damage, to or catastrophic loss of products stored in our distribution centers due to natural disasters or man-made disasters such as arson,theft, power disruptions, computer viruses, data security breaches or terrorism, could result in the reduction in value of our inventory and a significant disruption in our business. Further, natural disasters such as earthquakes, hurricanes, tornadoes, fires, floods and other adverse weather and climate conditions; unforeseen health crises, such as pandemics and epidemics, political crises, such as terrorist attacks, war and other political instability; or other catastrophic events, could disrupt our operations in any of our offices, our remote workforce and distribution centers. Such events may in the future slow or temporarily halt our operations and harm our business, results of operations and financial condition.

Our business depends on consumer discretionary spending. Some of the factors that may negatively influence consumer spending include high levels of unemployment; higher consumer debt levels; reductions in net worth, declines in asset values, and related market uncertainty; home foreclosures and reductions in home values; fluctuating interest rates and credit availability; fluctuating fuel and other energy costs; fluctuating commodity prices; the high rate of inflation and general uncertainty regarding the overall future political and economic environment. Furthermore, any increases in consumer discretionary spending during times of crisis may be temporary, such as those related to government stimulus programs or remote-work environments, and consumer spending may decrease when those programs or circumstances end. In addition, economic conditions in certain regions may be affected by natural disasters, such as hurricanes, tropical storms, earthquakes, and wildfires; other public health crises; and other major unforeseen events. Consumer purchases of discretionary items, including the merchandise that we offer, generally decline during recessionary periods or periods of economic uncertainty, when disposable income is reduced or when there is a reduction in consumer confidence. Any decline in consumer discretionary spending could negatively impact our revenue, which could have a material adverse effect on our business, financial condition and results of operations.