Locafy Ltd. (LCFY) Risk Factors

Our market is subject to rapidly evolving products and technological change, and our future success depends on our technology. Products, services and technologies developed by others may render our products, services or technology obsolete or non-competitive. To attract new customers and end users and keep our existing ones engaged, we must introduce new products and services and upgrade our existing offerings to meet their evolving preferences. It is difficult to predict the preferences of a particular customer or a specific group of customers. Changes and upgrades to our existing products may not be well received by our customers and end users, and newly introduced products or services may not achieve success as expected. Moreover, the functionality, reliability or security of our technology or our ability to adequately maintain, develop, update or enhance our technology each depends on numerous factors, many of which are beyond our control, and any failure in respect of any of the foregoing may cause the level of usage and customer satisfaction to decline. This may result in reduced sales, loss of customers, damage to reputation, an inability to attract new clients and potential claims for breach of contract or other litigation. Our future revenue and growth also depends on our ability to develop enhancements, new features and products, and services that utilize our technology. Enhancements, new features and products, and services that we develop may not be introduced in a timely or cost-effective manner, may contain errors or defects, may have interoperability difficulties with our platform or other products and services or may not achieve the broad market acceptance necessary to generate significant revenue. The failure to successfully develop enhancements, services, features, products or other new solutions may materially adversely impact our future operations and financial performance, competitive position and business prospects. Additionally, the market for generative artificial intelligence ("AI"), including "chatbots", machine learning, and generative AI workloads is an intensely competitive and rapidly evolving market, and our future financial performance may depend on our ability to adapt to, and capture new spending, in this market. If more consumers utilize AI and AI-related technology to search for online content, or if we do not successfully integrate AI with our solutions and products or integrate AI with our solutions as rapidly or effectively as other competitors within our industry, search traffic volumes through traditional search engines may decline, and our solutions and products may not compete as effectively with AI or other available solutions, which may in turn have a negative impact on our business and financial condition.

Prospective clients may require customized features and functions unique to their business processes that we do not offer. In order to ensure we meet these requirements, we may devote a significant amount of support and service resources to these prospective clients, increasing the cost and time required to complete sales with no guarantee that these prospective clients will adopt our solution. Further, we may not be successful in implementing any customized features or functions. If prospective clients require customized features or functions that we do not offer, or that would be difficult for them to deploy themselves, the market for our solution will be more limited and our business could be adversely affected.

We believe that maintaining and enhancing the "Locafy" brand identity and increasing market awareness of our company and products, is critical to achieving widespread acceptance of our platform, to strengthen our relationships with our existing customers and to our ability to attract new customers. The successful promotion of our brand will depend largely on our continued marketing efforts, our ability to continue to offer high quality products, and our ability to successfully differentiate our products and platform from competing products and services. Our brand promotion activities may not be successful or yield increased revenue. Negative publicity about us, our products or our platform could materially and adversely impact our ability to attract and retain customers, our business, results of operations and financial condition. The promotion of our brand also requires us to make substantial expenditures, and we anticipate that these expenditures will increase as our market becomes more competitive and as we expand into new markets. To the extent that these activities increase revenue, this revenue may not be enough to offset the increased expenses we incurred. If we do not successfully maintain and enhance our brand, our business may not grow, our pricing power may be reduced relative to our competitors and we may lose customers, all of which would adversely affect our business, results of operations and financial condition.

Our products and services are the subject of continuous research and development and must be continually and substantially developed in order to gain and maintain competitive and technological advantage, and in order to meaningfully improve the usability, scalability and accuracy of our products and services. There are no guarantees that we will be able to undertake such research and development successfully or cost effectively. Failure to successfully undertake such research and development, anticipate technical problems, or estimate research and development costs or timeframes accurately may adversely affect our results and viability.

Our information systems and data, including those we maintain with our third-party service providers, may be subject to cybersecurity breaches in the future. Computer programmers and hackers may be able to penetrate our network security and misappropriate, copy or pirate our confidential information or that of third parties, create system disruptions or cause interruptions or shutdowns of our internal systems and services. Our technology may become subject to denial-of-service attacks, where a website is bombarded with information requests eventually causing the website to overload, resulting in a delay or disruption of service. Computer programmers and hackers also may be able to develop and deploy viruses, worms and other malicious software programs that attack our products or otherwise exploit any security vulnerabilities of our products. Certain of our employees have access to sensitive information about our clients' employees. While we conduct background checks of our employees and limit access to systems and data, it is possible that one or more of these individuals may circumvent these controls, resulting in a security breach. There is also a growing trend of advanced persistent threats being launched by organized and coordinated groups against corporate networks to breach security for malicious purposes. The techniques used to obtain unauthorized, improper, or illegal access to our systems, our data or customers' data, disable or degrade service, or sabotage systems are constantly evolving and have become increasingly complex and sophisticated, may be difficult to detect quickly, and often are not recognized or detected until after they have been launched. Although we have developed systems and processes designed to protect our data and customer data and to prevent data loss and other security breaches and expect to continue to expend significant resources to bolster these protections, there can be no assurance that these security measures will provide absolute security. Any actual or perceived breach of our security could damage our reputation, cause existing clients to discontinue the use of our solution, prevent us from attracting new clients, or subject us to third-party lawsuits, regulatory fines or other actions or liabilities, any of which could adversely affect our business, operating results or financial condition. Disruptions in the availability of our technology, through cyber-attacks or otherwise, could damage our computer or telecommunications systems, impact our ability to service our customers, adversely affect our operations and the results of operations, and have an adverse effect on our reputation. The costs to us to eliminate or alleviate security problems, bugs, viruses, worms, malicious software programs and security vulnerabilities could be significant, and the efforts to address these problems could result in interruptions, delays, cessation of service and loss of existing or potential customers and may impede our sales, distribution and other critical functions. We may also be subject regulatory penalties and litigation by customers and other parties whose information has been compromised, all of which could have a material adverse effect on our business, results of operations and cash flows.

We are governed by the Corporations Act and our principal place of business is in Australia. All of our directors and officers, as well as certain experts named herein, reside outside of the United States, and all or a substantial portion of their assets are located outside the United States. As a result, it may be difficult for investors to effect service of process within the United States upon us and such directors, officers and experts or to enforce judgments obtained against us or such persons, in U.S. courts, in any action, including actions predicated upon the civil liability provisions of U.S. federal securities laws or any other laws of the United States. Additionally, rights predicated solely upon civil liability provisions of U.S. federal securities laws or any other laws of the United States may not be enforceable in original actions, or actions to enforce judgments obtained in U.S. courts, brought in Australian courts, including courts in the State of Western Australia. In addition, as a company incorporated in Australia, the provisions of the Corporations Act regulate the circumstances in which shareholder derivative actions may be commenced which may be different, and in many ways less permissive, than for companies incorporated in the United States.

To date, a substantial but declining portion of our operations have been funded through government subsidies and research and development grants. Such subsidies and grants accounted for 1.00% and 8.9% of the sum of our revenue and other income (referred to herein as "total income") for the years ended June 30, 2024 and June 30, 2023, respectively. We expect to generate revenues primarily through license subscription fees from our customer-base and through the acquisition of additional online directories and databases to grow the number of business profiles within our network and hence the opportunity to generate increased advertising revenues. We believe that our existing capital and other sources of liquidity will be sufficient to meet our capital requirements, however, the adequacy of our available funds to meet our operating and capital requirements will depend on many factors, including our ability to achieve revenue growth and maintain favorable operating margins; the cost, progress and results of our future research and product development; the effect of competing technological and market developments; and costs incurred in enforcing and defending certain of the patents and other intellectual property rights upon which our technologies are based, to the extent such rights are challenged. We cannot be certain that in the future alternative financing sources, including previously received government subsidies and research and development grants, will be available to us at such times or in the amounts we need or whether we can negotiate commercially reasonable terms or at all, or that our actual cash requirements will not be greater than anticipated. If we are unable to obtain future financing through the methods we described above or through other means, our business may be materially impaired and we may be unable to complete our business objectives and may be required to cease operations, curtail one or more product development or commercialization programs, significantly reduce expenses, sell assets, seek a merger or joint venture partner, file for protection from creditors or liquidate all our assets. Additionally, though we have engaged qualified external consultants to assist us with the preparation of our grant applications, our government subsidies remain subject to review and potential audits, and we may be required to repay all or portion of the grant with penalties, as applicable, if we are deemed ineligible for such subsidies following such audits.

Failure to comply with the increasing number of data protection laws in the jurisdictions in which we operate, as well as concerns about our practices with regard to the collection, use, storage, retention, transfer, disclosure, and other processing of personal data, the security of personal data, or other privacy-related matters, such as cybersecurity breaches, misuse of personal data and data sharing without necessary safeguards, including concerns from our customers, employees and third parties with whom we conduct business, even if unfounded, could damage our reputation and operating results. As we seek to expand our business, we are, and may increasingly become, subject to various laws, regulations and standards, as well as contractual obligations, relating to data privacy and security in the jurisdictions in which we operate. The regulatory and legal frameworks regarding data privacy and security issues in many jurisdictions are constantly evolving and developing and can be subject to significant changes from time to time, including in ways that may result in conflicting requirements among various jurisdictions. Interpretation and implementation standards and enforcement practices are similarly in a state of flux and are likely to remain uncertain for the foreseeable future. As a result, we may not be able to comprehensively assess the scope and extent of our compliance responsibility at a global level and we may fail to fully comply with the applicable data privacy and security laws, regulations and standards. Moreover, these laws, regulations and standards may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible that they will be interpreted and applied in ways that may have a material and adverse impact on our business, financial condition and results of operations. In certain jurisdictions in which we operate, stringent, extra-territorial data protection laws exist which increase our compliance burden and the risk of scrutiny. For example, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), which applies to the collection, use, storage, retention, transfer, disclosure, and other processing of personal data obtained from individuals located in the European Union ("EU") and in the United Kingdom ("UK") or by businesses operating within the EU or the UK, became effective on May 25, 2018 and has resulted, and will continue to result, in significantly greater compliance burdens and costs for companies with customers, end users, or operations in the EU. The GDPR, which in post-Brexit UK is known as the "UK GDPR," places stringent obligations and operational requirements on us as both a processor and controller of personal data and could make it more difficult or more costly for us to use and share personal data. Under the GDPR, data protection supervisory authorities are given various enforcement powers, including levying fines of up to 20 million Euros or up to 4% of an organization's annual worldwide turnover, whichever is greater, for the preceding financial year, for non-compliance. Data subjects also have the right to be compensated for damages suffered as a result of a controller or processor's non-compliance with the GDPR. While the GDPR provides a more harmonized approach to data protection regulation across the EU member states and the UK, it also gives EU member states and the UK certain areas of discretion and therefore laws and regulations in relation to certain data processing activities may differ on a member state by member state basis, which could further limit our ability to use and share personal data and could require localized changes to our operating model. In addition to the GDPR, the EU also has released a proposed Regulation on Privacy and Electronic Communications, or the ePrivacy Regulation, to replace the EU's current Privacy and Electronic Communications Directive, or the ePrivacy Directive, to, among other things, better align EU member states and the rules governing online tracking technologies and electronic communications, such as unsolicited marketing and cookies, with the requirements of the GDPR. While the ePrivacy Regulation was originally intended to be adopted on May 25, 2018 (alongside the GDPR), it is currently going through the European legislative process, and commentators now expect it to be adopted after 2024. The current draft of the ePrivacy Regulation significantly increases fining powers to the same levels as GDPR and may require us to change our operational model and incur additional compliance expenses. Additional time and effort may need to be spent addressing the new requirements in the potential ePrivacy Regulation as compared to the GDPR. Under the GDPR, restrictions are placed on transfers of personal data outside of the European Economic Area and the UK to countries which have not been deemed "adequate" by the European Commission (including the United States). As a global business, with customers and end users worldwide, we are susceptible to any changes in legal requirements affecting international data flows. On July 10, 2023, the European Commission adopted its adequacy decision for the new EU-US Data Privacy Framework following the invalidation of its predecessor, the EU-US Privacy Shield. This decision re-established a previously popular mechanism to legitimize cross-border transfers of personal data between the EU and the U.S. The new Data Privacy Framework was immediately challenged in the EU courts, just as Privacy Shield was, and it is unclear whether the new Framework will survive judicial review. While the invalidation of Privacy Shield did not invalidate the use of standard contractual clauses, a second mechanism for making lawful cross-border transfers, the decision has called the validity of standard contractual clauses into question under certain circumstances. In response, the European Data Protection Board and the UK Information Commissioner's Office recently published new versions of the standard contractual clauses that purport to address the CJEU's decision. Taken together, these recent legal developments have made the legality of transferring personal data from the EU to the U.S. or various other jurisdictions outside of the EU more uncertain. Due to this evolving regulatory guidance, we may need to invest in additional technical, legal and organization safeguards in the future to avoid disruptions to data flows within our business and to and from our customers and service providers. Furthermore, this uncertainty, and its eventual resolution, may increase our costs of compliance, impede our ability to transfer data and conduct our business, and harm our business or results of operations. Our business also increasingly relies on artificial intelligence to improve our platform, services, and features. However, in recent years use of these methods has come under increased regulatory scrutiny. New laws, guidance and/or decisions in this area may limit our ability to use artificial intelligence, or require us to make changes to our platform or operations that may decrease our operational efficiency, result in an increase to operating costs and/or hinder our ability to improve our services. For example, there are specific rules on the use of automated decision making under the applicable UK/EU data protection laws that require the existence of automated decision making to be disclosed to the data subject with a meaningful explanation of the logic used in such decision making in certain circumstances, and safeguards must be implemented to safeguard individual rights, including the right to obtain human intervention and to contest any decision. In the EU, the EU Artificial Intelligence Act ("EU AI Act") entered into force across all Member States in August 2024, establishing a comprehensive, risk-based governance framework for artificial intelligence in the EU market. The EU AI Act applies to companies that develop, use and/or provide artificial intelligence in the EU and includes requirements around transparency, conformity assessments and monitoring, risk assessments, human oversight, security, accuracy, general purpose artificial intelligence and foundation models, and proposes fines for breach of up to 7% of worldwide annual turnover. The EU AI Act will continue to have a material impact on the way artificial intelligence is regulated in the EU, and together with developing guidance and/or decisions in this area, may affect our use of artificial intelligence and our ability to provide and to improve our services, require additional compliance measures and changes to our operations and processes, result in increased compliance costs and potential increases in civil claims against us, and could adversely affect our business, operations and financial condition. Outside of the EU and UK, many jurisdictions have adopted or are adopting new data privacy and security laws, which may result in additional expenses to us and increase the risk of non-compliance. For example, in the United States, various federal and state regulators, including governmental agencies like the Federal Trade Commission, have adopted, or are considering adopting, laws and regulations concerning personal data and data security. This patchwork of legislation and regulation may give rise to conflicts or differing views of personal privacy rights. For example, certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to personal data than federal, international or other state laws, and such laws may differ from each other, all of which may complicate compliance efforts. One such comprehensive privacy law in the United States is the California Consumer Privacy Act ("CCPA"), which came into effect on January 1, 2020. Among other things, the CCPA requires companies that process information of California residents to make new detailed disclosures to consumers about such companies' data collection, use and sharing practices, gives California residents expanded rights to access and delete their personal information, and to opt out of certain personal information sharing with (and sales of personal information to) third parties. The CCPA provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal data. This private right of action is expected to increase the likelihood of, and risks associated with, data breach litigation. The CCPA was amended in September 2018, November 2019 and September 2020, and it is possible that further amendments will be enacted, but even in its current form it remains unclear how various provisions of the CCPA will be interpreted and enforced. Additionally, a new privacy law, the California Privacy Rights Act ("CPRA"), which took take effect in most material respects on January 1, 2023, modifies the California Consumer Privacy Act significantly, including by expanding consumers' rights with respect to certain sensitive personal information and creating a new state agency to oversee implementation and enforcement efforts, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses in an effort to comply. Other state privacy laws with similarities to the CCPA, such as the Colorado Privacy Act, the Connecticut Data Privacy Act, the Oregon Consumer Data Privacy Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Privacy Act, and the Texas Data Privacy and Security Act came into force in 2023 and 2024. Iowa, Indiana, Tennessee, and Montana have each recently passed their own general consumer privacy laws, which will come into force later in 2024, 2025, and 2026, and there have been ongoing discussions and proposals in the U.S. Congress with respect to new federal data privacy and security laws to which we would become subject if enacted. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may require us to modify our data processing practices and policies, divert resources from other initiatives and projects, and could restrict the way products and services involving data are offered, all of which may have a material and adverse impact on our business, financial condition and results of operations. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. New laws, amendments to or re-interpretations of existing laws, regulations, standards and other obligations may require us to incur additional costs and restrict our business operations. For example, there is an increasing trend of jurisdictions requiring data localization, which may prohibit companies from storing data relating to resident individuals in data centers outside the relevant jurisdiction or, at a minimum, require a complete set of the data to be stored in data centers within the relevant jurisdiction. Because the interpretation and application of laws, regulations, standards and other obligations relating to data privacy and security are still uncertain, it is possible that these laws, regulations, standards and other obligations may be interpreted and applied in a manner that is inconsistent with our data processing practices and policies or the features of our products and services. If so, in addition to the possibility of fines, lawsuits, regulatory investigations, public censure, other claims and penalties, and significant costs for remediation and damage to our reputation, we could be materially and adversely affected if legislation or regulations are expanded to require changes in our data processing practices and policies or if governing jurisdictions interpret or implement their legislation or regulations in ways that negatively impact our business, financial condition and results of operations. Furthermore, the developing requirements relating to clear and prominent privacy notices (including in the context of obtaining informed and specific consents to the collection and processing of personal data, where applicable) may potentially deter end users from consenting to certain uses of their personal data. In general, negative publicity of us or our industry regarding actual or perceived violations of our end users' privacy-related rights, including fines and enforcement actions against us or other similarly placed businesses, also may impair users' trust in our privacy practices and make them reluctant to give their consent to share their data with us. Any inability to adequately address data privacy or security-related concerns, even if unfounded, or to comply with applicable laws, regulations, standards and other obligations relating to data privacy and security, could result in additional cost and liability to us, harm our reputation and brand, damage our relationships with consumers and have a material and adverse impact on our business, financial condition and results of operations. With regard to our commercial arrangements, we and our counterparties, including business partners and external service providers, might be subject to contractual obligations regarding the processing of personal data. While we believe our and our counterparties' conduct under these agreements is in material compliance with all applicable laws, regulations, standards, certifications and orders relating to data privacy or security, we or our counterparties may fail, or be alleged to have failed, to be in full compliance. In the event that our acts or omissions result in alleged or actual failure to comply with applicable laws, regulations, standards, certifications and orders relating to data privacy or security, we may incur liability. While we endeavor to include indemnification provisions or other protections in such agreements to mitigate liability and losses stemming from our counterparties' acts or omissions, we may not always be able to negotiate for such protections and, even where we can, there is no guarantee that our counterparties will honor such provisions or that such protections will cover the full scope of our liabilities and losses. While we strive to comply with our internal data privacy guidelines as well as all applicable data privacy and security laws and regulations, and contractual obligations in respect of personal data, there is no assurance that we are able to comply with these laws, regulations and contractual obligations in all respects. Any failure or perceived failure by us, external service providers or business partners to comply may result in proceedings or actions against us, including fines and penalties or enforcement orders (including orders to cease processing activities) being levied on us by government agencies or proceedings or actions against us by our business partners, customers or end-users, including class action privacy litigation in certain jurisdictions, and could damage our reputation and discourage current and future users from using our products and services, which could materially and adversely affect our business, financial condition and results of operations. In addition, compliance with applicable laws on data privacy requires substantial expenditure and resources, including to continually evaluate our policies and processes and adapt to new requirements that are or become applicable to us on a jurisdiction-by-jurisdiction basis, which would impose significant burdens and costs on our operations or may require us to alter our business practices. Concerns about the security of personal data also could lead to a decline in general Internet usage, which could result in a decrease in demand for our products and services and have a material and adverse effect on our business, financial condition and results of operations. Furthermore, if the local government authorities in our target markets require real-name registration for users of our platform, the growth of our customer and end-user bases may slow down and our business, financial condition and results of operations may be adversely affected.

We depend on the expertise, experience and efforts of our executive officers and other key employees. A failure to attract and retain executive, business development, technical and other key personnel could reduce our revenues and operational effectiveness. There is a continuing demand for relevant qualified personnel, and we believe that our future growth and success will depend upon our ability to attract, train and retain such personnel. Competition for personnel in our industry is intense, and there is a limited number of persons with knowledge of, and experience in, this industry. There can be no assurance that we will maintain sufficiently qualified personnel or hire additional qualified personnel on a timely basis, or that we will be able to retain our key management personnel. An inability to attract or maintain a sufficient number of requisite personnel, particularly those with the requisite technical expertise, could have a material adverse effect on our performance or on our ability to capitalize on market opportunities or meet our stated objectives.

Our business depends, in part, on services provided by, and relationships with, various third parties. For example, we rely on contracts with third-party suppliers such as Cloudflare, Inc. ("Cloudflare"), which provides cloud hosting services. If these contracts and services are terminated or suffer a disruption in the future and we are not able to replace or accommodate for those events in a timely and cost-effective manner, our operations and financial performance, competitive position and business prospects may be adversely impacted.