Quotient Technology (QUOT) Risk Analysis

We process data about consumers, including personally identifiable information or personal data, as well as other confidential or proprietary information necessary to operate our business, for legal and marketing purposes, and for other business-related purposes. While we and our third-party service providers have implemented security measures designed to protect against security breaches, like all businesses that use computer systems and the Internet, our security measures, as well as those of companies we may acquire and our third-party service providers and partners, could fail or may be insufficient, resulting in the unauthorized disclosure, modification, misuse, unavailability, destruction, or loss of our or our customers' data or other sensitive information. Any security breach of our operational systems, physical facilities, or the systems of our third-party partners, or the perception that one has occurred, could result in litigation, indemnity obligations, regulatory enforcement actions, investigations, fines, penalties, mitigation and remediation costs, disputes, reputational harm, diversion of management's attention, and other liabilities and damage to our business. Even though we do not control the security measures of third parties, we may be responsible for any breach of such measures or suffer reputational harm even where we do not have recourse to the third party that caused the breach. In addition, any failure by our retail partners or other third-party partners to comply with applicable law or regulations could result in proceedings against us by governmental entities or others. Cyberattacks, denial-of-service attacks, ransomware attacks, business email compromises, computer malware, viruses, social engineering (including phishing) and other malicious internet-based activity are prevalent in our industry, and our customers and partners' industries, and continue to increase. In addition, we may experience software or other code vulnerabilities, attacks, unavailable systems, unauthorized access or disclosure due to employee or other theft or misuse, denial-of-service attacks, sophisticated attacks by nation-state and nation-state supported actors, and advanced persistent threat intrusions. We and our third party service providers regularly defend against and respond to a variety of cybersecurity attacks and incidents. Despite our efforts to ensure the security, privacy, integrity, confidentiality, availability and authenticity of the information technology (IT) networks and systems, processing and information, we may not be able to anticipate or to implement effective preventive and remedial measures against, or adequately respond to mitigate the impact of, all data security and privacy threats and attacks. We cannot guarantee that the recovery systems, security protocols, network protection mechanisms and other security measures that we have integrated into our systems, networks and physical facilities, which are designed to protect against, detect and minimize security breaches, will be adequate to prevent or detect service interruption, system failure data loss or theft, or other material adverse consequences. No security solution, strategy, or measures can address all possible security threats or block all methods of penetrating a network or otherwise perpetrating a security incident. The risk of unauthorized circumvention of our security measures, or those of our third-party providers, clients and partners, has been heightened by advances in computer and software capabilities and the increasing sophistication of hackers who employ complex techniques, including without limitation the theft or misuse of personal and financial information, counterfeiting, "phishing" attacks (including those directed toward SMS/texting services) or social engineering incidents, ransomware, extortion, publicly announcing security breaches, account takeover attacks, denial or degradation of service attacks, malware, fraudulent payment and identity theft. The techniques used to sabotage, disrupt or to obtain unauthorized access to our applications, systems, networks, or physical facilities in which data is stored or through which data is transmitted change frequently, and we may be unable to implement adequate preventative measures or stop security breaches while they are occurring. The recovery systems, security protocols, network protection mechanisms and other security measures that we have integrated into our applications, systems, networks and physical facilities, which are designed to protect against, detect and minimize security breaches, may not be adequate to prevent or detect service interruption, system failure or data loss. Additionally, to provide protection against the occurrence of a cybersecurity event, we rely on the IT professionals within our organization to monitor, diagnose and remediate threats arising within our network. To the extent we experience attrition in this area and are required to shift workloads, or acquire and train supplementary IT talent, we could face increased risks of experiencing a materially harmful cybersecurity event. In addition, our applications, systems, networks, and physical facilities could be breached, or personal information could be otherwise compromised, due to employee error or malfeasance if, for example, third parties attempt to fraudulently induce our employees, customers or partners to disclose information or user names and/or passwords, or otherwise compromise the security of our networks, systems and/or physical facilities. Third parties may also exploit vulnerabilities in, or obtain unauthorized access to, platforms, applications, systems, networks and/or physical facilities utilized by our vendors. We have been, and may in the future become, the target of cyber-attacks by third parties seeking unauthorized access to our or our customers or partners' data or to disrupt our operations or ability to provide our services. While we have been successful in preventing such unauthorized access and disruption in the past, we may not continue to be successful against these or other attacks in the future. A significant percentage of our employees continue to work under remote or hybrid working arrangements, which may pose additional data security risks. These risks will continue as we continue to operate both remote and hybrid arrangements for employees. If we, or our service providers and partners, experience compromises to security that result in performance or availability problems, or experience the complete shutdown of one or more of our platforms, digital properties and mobile applications, or suffer the misuse, loss or unauthorized access to or disclosure of confidential information, personally identifiable information or other personal or proprietary data, advertisers, retailers, and consumers may lose trust and confidence in us and decrease their use of our platforms or stop using our platforms entirely. Such compromises to personal or sensitive information or proprietary data could lead to litigation or other adversarial actions by business partners such as retailers or consumers. The costs to respond to a security breach and/or to mitigate any security vulnerabilities that may be identified could be significant, our efforts to address these problems may not be successful, and these problems could result in unexpected interruptions, delays, cessation of service, negative publicity, and other harm to our business and our competitive position. We could be required to fundamentally change our business activities and practices in response to a security breach or related regulatory actions or litigation, which could have an adverse effect on our business. We have contractual and legal obligations to notify relevant stakeholders of security breaches. Most jurisdictions have enacted laws requiring companies to notify individuals, regulatory authorities, and others of security breaches involving certain types of data. In addition, our agreements with certain customers and partners may require us to notify them in the event of a security breach involving customer or partner data on our systems or those of subcontractors processing customer or partner data on our behalf. Such mandatory disclosures are costly, could lead to negative publicity, may cause our customers to lose confidence in the effectiveness of our security measures, and require us to expend significant capital and other resources to respond to or alleviate problems caused by the actual or perceived security breach may cause us to breach customer contracts. Depending on the facts and circumstances of such an incident, these damages, penalties and costs could be significant and may not be covered by insurance, or could exceed our applicable insurance coverage limits. Such an event also could harm our reputation and result in litigation against us. Any of these results could materially adversely affect our financial performance. Our agreements with certain customers may require us to use industry-standard, reasonable, or other specified measures to safeguard sensitive personal information or confidential information, and any actual or perceived breach of such measures may increase the likelihood and frequency of customer audits under our agreements, which is likely to increase the costs of doing business. An actual or perceived security breach could lead to claims by our customers or other relevant stakeholders that we have failed to comply with such legal or contractual obligations. As a result, we could be subject to legal action or our customers could end their relationships with us. There can be no assurance that any limitations of liability in our contracts, which we have in certain agreements, would be enforceable or adequate or would otherwise protect us from liabilities or damages. Litigation resulting from security breaches may adversely affect our business. Unauthorized access to our applications, systems, networks, or physical facilities could result in litigation with our customers or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management's time and attention, increase our costs of doing business, or adversely affect our reputation. We could be required to fundamentally change our business activities and practices, or to modify our business and operational capabilities in response to such litigation, which could have an adverse effect on our business. If a security breach were to occur, and the confidentiality, integrity or availability of our data or the data of our partners or our customers were to be disrupted, we could incur significant liability, or our applications, systems or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation. If we fail to detect or remediate a security breach in a timely manner, or a breach otherwise affects a large amount of data of one or more of our customers or partners, or if we suffer a cyberattack that impacts our ability to operate our applications, systems or networks, we may suffer material damage to our reputation, business, financial condition and results of operations. Further, we may not have adequate insurance coverage for security incidents or breaches, including fines, judgments, settlements, penalties, costs, attorney fees and other impacts that arise out of incidents or breaches. Depending on the facts and circumstances of such an incident, the damages, penalties and costs could be significant and may not be covered by insurance, or could exceed our applicable insurance coverage limits. If the impacts of a security incident or breach, or the successful assertion of one or more large claims against us that exceeds our available insurance coverage, or results in changes to our insurance policies (including premium increases or the imposition of large deductible or co-insurance requirements), it could have an adverse effect on our business. In addition, we cannot be sure that our existing insurance coverage and coverage for errors and omissions will continue to be available on acceptable terms or that our insurers will not deny coverage as to all or part of any future claim or loss. Our risks are likely to increase as we continue to expand our applications, systems, and networks, grow our customer base, and Process, store, and transmit increasingly large amounts of proprietary and sensitive data. Remediation of any potential cybersecurity breach may involve significant time, resources, and expenses, which may result in potential regulatory inquiries, litigation or other investigations, and could affect our financial and operational condition.

We expect competition in digital marketing to continue to increase. This industry is competitive, fragmented and rapidly changing. We compete against a variety of companies with respect to different aspects of our business, including: - Direct-to-consumer apps such as iBotta, Inc. and Fetch Rewards, which offer cash back rebate and rewards solutions;- other providers of digital promotions such as Valassis Communications, Inc.; Catalina Marketing Corporation's Cellfire; Inmar/You Technology; and Neptune Retail Solutions;- offline coupon and discount services, as well as newspapers, magazines and other traditional media companies that provide coupon promotions and discounts on products and services in FSIs or other forms, including Valassis Communications, Inc., Neptune Retail Solutions and Catalina Marketing Corporation;- retailers who develop and manage, with or without a third-party vendor, retail media or data products in-house, such as the Albertsons Media Collective, or The Kroger Company ("Kroger") with its wholly owned subsidiary of 84.51°; and - companies offering digital advertising technology, inventory, data, and services solutions and channels for advertisers and retailers including: Meta Platforms, Inc.(doing business as Facebook), Alphabet, Inc. ("Alphabet"), Pinterest, Inc., Amazon.com, Inc. ("Amazon"), Adobe Inc., The Trade Desk Inc., Oracle Corporation, Criteo S.A., Microsoft Corporation, Publicis Groupe's CitrusAd, and others. In certain instances, we have entered into, and in the future we may enter into, strategic alliances or partnerships with companies that are competitors in other areas of our business. We believe the principal factors that generally determine a company's competitive advantage in our market include the following: - scale and effectiveness of reach in connecting advertisers and retailers to consumers in a digital manner;- scale and reach of a company's retailer and publisher network;- scale and reach of a company's targetable audience data;- ability to attract consumers, retailers and CPGs to a company's platform and solutions;- breadth, quality and relevance of a company's solutions and ability to innovate - platform security, usability, scalability, reliability and availability;- integration with retailer applications, POS systems, and consumer channels;- access to and quality of consumer data, including transaction data;- ability to measure, and measurement that demonstrates the effectiveness of campaigns;- quality of tools, reporting and analytics for planning, development and optimization of digital marketing campaigns;- integration of products and solutions;- ability to rapidly deploy products and services for customers;- ability to deliver high quality and increasing numbers of digital promotions that are widely available and easy to use in consumers' preferred form;- brand recognition and reputation; and - ability to recruit, retain and train employees. We are subject to competition from large, well-established companies which have significantly greater financial, marketing and other resources than we do, and which have offerings that compete with our platforms or may choose to offer digital promotions and media and audiences as an add-on to their core business on their own or in partnership with one of our competitors that would directly compete with ours. Many of our larger actual and potential competitors have the resources to significantly change the nature of the digital promotions industry to their advantage, which could materially disadvantage us. For example, Alphabet and Facebook, retailers such as Kroger and online retailers such as Amazon have highly trafficked industry platforms which they have leveraged, or could leverage, to distribute digital promotions and media that could negatively affect our business. In addition, these potential competitors may have greater access to first-party data, and may be able to respond more quickly than we can to new or emerging technologies and changes in consumer habits. These competitors may engage in more extensive research and development efforts, undertake more far-reaching marketing campaigns and adopt more aggressive pricing policies, which may allow them to attract more consumers and, as a result, more advertisers and retailers, and thereby generate revenues more effectively than we do. Our competitors may offer digital promotions or targeted media campaigns that are similar to the digital promotions and targeted media campaigns we offer or that achieve greater market acceptance than those we offer. We are also subject to competition from smaller companies that launch similar or new products and services that we do not offer and that could gain market acceptance. We may also face claims or lawsuits from our competitors. For example, in February 2021, Catalina Marketing Corporation filed a complaint against us, alleging that we engaged in predatory pricing practices and misleading communications with potential customers in connection with our in-lane promotions solution. While we believe that Catalina's claims are without merit, we could incur substantial costs and resources defending against the claims, and the pendency of the litigation could cause uncertainty among our customers or prospective customers, all of which could have an adverse effect on our business, operating results and financial condition. Our success depends on the effectiveness of our platforms in connecting advertisers and retailers with consumers, and in attracting consumer use of the digital promotions and media delivered through our platforms. To the extent we fail to provide digital promotions and media for high quality, relevant products, or otherwise fail to successfully reach consumers on their mobile devices or elsewhere, consumers may become dissatisfied with our platforms and decide not to use our digital promotions, not interact with our digital media, and/or elect to use or view instead the digital promotions and media distributed by one of our competitors. As a result of these factors, our advertisers and retailers may not receive the benefits they expect, advertisers may opt to use the offerings of one of our competitors, and retailers may elect to handle promotions and media themselves or exclude us from integrating with their in-store and POS systems or with consumer channels. In any of these circumstances, our operating results would be adversely affected. Similarly, if retailers elect to use a competitive distribution network or platform, or develop their own solution in-house and we do not have, or fail to maintain, an agreement to distribute content through that network or platform, advertisers may elect to provide digital promotions and media directly to that network or platform, instead of through our platforms. Additionally, if retailers and advertisers require our platforms to integrate with competitive offerings instead of using our products, we could lose some of our competitive advantage and our business could be negatively affected. We also face significant competition for trade promotion and marketing spending. We compete against online and mobile businesses, including those referenced above, and traditional advertising outlets, such as television, radio and print, for marketing dollar spending (also referred to as "spend"). In order to grow our revenues and improve our operating results, we must increase our share of advertiser spending on digital promotions and media relative to traditional sources and relative to our competitors, many of whom are larger companies that offer more traditional and widely accepted media products. We also directly compete with retailers who develop and manage, with or without a third-party vendor, retail media and data products in-house, such as the Albertsons Media Collective, or The Kroger Company with its wholly owned subsidiary of 84.51°. Specifically, many retailers market and offer their own digital advertising solutions, including retail media, targetable audiences and sponsored search, directly to advertisers. We also compete with retailers directly and indirectly for consumer traffic. Retailers will market promotions and media directly to consumers using their own websites, email newsletters and alerts, mobile applications, and social media channels. Additionally, some retailers also market and offer their own digital promotions and media directly to consumers using our platforms for which we earn no revenue. Our retailers could be more successful than we are at marketing their own digital promotions and media, develop or expand their own in-house capabilities or decide to manage retailer performance media in-house, and accordingly could decide to terminate their relationship with us or renew the relationship on less favorable terms than existed previously. We may face competition from companies we do not yet know about. If existing or new companies develop, market or offer competitive digital promotions solutions, acquire one of our existing competitors or form a strategic alliance with one of our competitors, our ability to compete effectively could be significantly compromised and our operating results could be negatively affected.

Our business is exposed to risks related to customer concentration, particularly among advertisers or their agencies, and partner concentration, particularly among retailers. The loss of or decrease in spending by any of our significant customers, or the loss of or decrease in support from any of our significant partners, or a deterioration in our relationships with any of them, could materially and adversely affect our revenues, results of operations and financial condition. As an example, the loss of a retailer, or retailer support, such as the termination of our partnership with Albertsons or retailers taking retail media in-house, negatively impacts the amount that advertisers spend on our platforms.

We believe that the brand identity that we have developed has significantly contributed to the success of our business. We also believe that maintaining and enhancing our brand is critical to expanding our base of advertisers, retailers and consumers. Maintaining and enhancing our brands may require us to make substantial investments and these investments may not be successful. If we fail to promote and maintain our brands, or if we incur excessive expenses in this effort, our business would be negatively affected. We anticipate that, as our market becomes increasingly competitive, maintaining and enhancing our brands may become increasingly difficult and expensive. Unfavorable publicity or consumer perception of our websites, mobile applications, platforms, practices or service offerings, or the offerings of our advertisers and retailers, could adversely affect our reputation, resulting in difficulties in recruiting, decreased revenues and a negative impact on the number of advertisers and retailers we feature, our user base, the loyalty of our consumers, and the number and variety of digital promotions that we offer. As a result, our business could be negatively affected.

We Process data about consumers, including personally identifiable information or personal data, as well as other confidential or proprietary information necessary to operate our business, for legal and marketing purposes, and for other business-related purposes. We collect such information from individuals located both in the United States and abroad, and may store or Process such information outside the country in which it was collected. The legal and regulatory framework for privacy and security issues is rapidly evolving across the globe, and is expected to increase our compliance costs and exposure to liability. We and our service providers and partners are subject to a variety of federal, state and foreign laws, regulations and industry standards regarding privacy, data protection, data security, marketing and consumer protection, which address the Processing of data relating to individuals, as well as the tracking of consumer behavior and other consumer data ("Data Protection Laws"). We are also subject to laws, regulations and industry standards relating to endorsements and influencer marketing. Many of these laws, regulations and industry standards are changing and expanding, including those that offer consumers additional privacy rights with regard to profiling and online behavioral advertising. These laws, regulations and industry standards may be subject to differing interpretations, may be inconsistent among countries, may be costly to comply with or inconsistent among jurisdictions, or may conflict with other rules, laws or Data Protection Obligations. Various industry standards on privacy and data security have been developed and are expected to continue to develop, which standards may be adopted by industry participants at any time. We have committed to comply, and generally require our customers and partners to comply, with applicable self-regulatory principles such as the Network Advertising Initiative's Code of Conduct and the Digital Advertising Alliance's Self-Regulatory Principles for Online Behavioral Advertising in the U.S. Trade associations and industry self-regulatory groups have also promulgated best practices and other industry standards relating to targeted advertising. Our efforts to comply with these self-regulatory principles include offering Internet users notice and choices about when advertising is served to them based, in part, on their interests. If we, our clients or partners make mistakes in the implementation of these principles, if self-regulatory bodies expand these guidelines or government authorities issue different guidelines regarding Internet-based advertising, if opt out mechanisms fail to work as designed, or if Internet users misunderstand our technology or our commitments with respect to these principles, we may be subject to negative publicity, government investigation, government or private litigation, or investigation by self-regulatory bodies or other accountability groups. Any such action against us or investigations of us, even if meritless, could be costly and time consuming, require us to change our business practices, cause us to divert management's attention and our resources away from business activities, and be damaging to our brand, reputation, and business. In addition, privacy advocates and industry groups may propose new and different self-regulatory standards that legally apply to us. We cannot yet determine the impact such future standards may have on our business. We are or may also be subject to the terms of our external and internal privacy and security policies, codes, representations, certifications, industry standards, publications and frameworks ("Privacy Policies"). We are also subject to contractual obligations to third parties related to privacy, data protection, and information security and Processing, including contractual obligations to indemnify and hold harmless third parties from the costs or consequences of non-compliance with Data Protection Laws or other obligations ("Data Protection Obligations"). Our solutions depend in part on our ability to use data that we obtain in connection with our offerings, and our ability to use this data may be subject to restrictions in our commercial agreements and subject to the Privacy Policies of the entities that provide us with this data. Our service providers or our partners' failure to adhere to these third-party restrictions on data use may result in claims, proceedings or actions against us by our business counterparties or other parties, or may result in our incurring other liabilities, including loss of business, reputational damage, and remediation costs, which could adversely affect our business. We expect that there will continue to be new Data Protection Laws and Data Protection Obligations, and we cannot yet determine the impact such future Data Protection Laws and Data Protection Obligations may have on our business. Any significant change to Data Protection Laws and Data Protection Obligations, including without limitation the manner in which the express or implied consent of customers for Processing is obtained, could increase our costs and require us to modify our operations, possibly in a material manner, which we may be unable to complete and which may limit our ability to store and Process data and operate our business. In particular, it should be noted that the AdTech industry has in the last few years received increased scrutiny from consumers, media outlets, regulators and lawmakers. This has been demonstrated by the €250,000 fine imposed on the Interactive Advertising Bureau Europe by the Belgian Data Protection Authority in February 2022, following an investigation into its Transparency and Consent Framework ("TCF")--a framework adopted widely for the collection/management of consent to the use of cookies for targeted advertising in the EU. This decision will require us to reassess our reliance on the TCF. Data Protection Laws and data protection worldwide is, and is likely to remain, uncertain for the foreseeable future, and our actual or perceived failure to address or comply with these laws could result in the following: increase our compliance and operational costs; limit our ability to market our products or services and attract new and retain current customers; limit or eliminate our ability to Process data; expose us to regulatory scrutiny, actions, investigations, fines and penalties; result in reputational harm; lead to a loss of business result in litigation and liability, including class action litigation; cause to incur significant costs, expenses and fees (including attorney fees); cause a material adverse impact to business operations or financial results; and otherwise result in other material harm to our business ("Adverse Data Protection Impact"). We are subject to Data Protection Laws, Privacy Policies and Data Protection Obligations as well as applicable foreign, federal, state, local and municipal laws, regulations and industry standards that relate to electronic communications, intellectual property, eCommerce, competition, price discrimination, consumer protection, taxation, and the use of promotions. We strive to comply with applicable laws, policies, contractual and other legal obligations as well as industry standards of conduct relating to privacy, data security, data protection, marketing and consumer protection to the extent possible, but we may at times fail to do so, or may be perceived to have failed to do so. These obligations and standards of conduct often are complex, vague, and difficult to comply with fully, and it is possible that these obligations and standards of conduct may be interpreted and applied in new ways and/ or in a manner that is inconsistent with each other or with new laws, regulations or other obligations that may be enacted. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees, partners or vendors do not comply with applicable Data Protection Laws, Privacy Policies and Data Protection Obligations. We may be subject to, and may experience, an Adverse Data Protection Impact if we fail (or are perceived to have failed) to comply with applicable Data Protection Laws, Privacy Policies and Data Protection Obligations, or if our Privacy Policies are, in whole or part, found to be inaccurate, incomplete, deceptive, unfair, or misrepresentative of our actual practices. In addition, any such failure or perceived failure could result in public statements against us by consumer advocacy groups, the media or others, which may cause us material reputational harm. Our actual or perceived failure to comply with Data Protection Laws, Privacy Policies and Data Protection Obligations could also subject us to litigation, claims, proceedings or actions, or to investigations by governmental entities, authorities or regulators, which could result in an Adverse Data Protection Impact including requiring changes to our business practices, causing the diversion of resources and the attention of management from our business, triggering regulatory oversights and audits, discontinuance of necessary Processing, or imposing other remedies that adversely affect our business. We also expect that there will continue to be new laws, regulations, and industry standards concerning privacy, data protection, and information security proposed and enacted in various jurisdictions. In Europe, the General Data Protection Regulation (2016/679) ("EU GDPR") went into effect in May 2018 and introduced strict requirements for Processing the personal data of data subjects. The EU GDPR governs the collection, use, disclosure, transfer or other processing of personal data and has direct effect in all EU Member States and has extraterritorial effect where organizations outside of the European Economic Area ("EEA") Process personal data of individuals in the EEA in relation to the offering of goods or services to those individuals ("targeting test") or the monitoring of their behavior ("monitoring test"). As such, the EU GDPR applies to us to the extent we are established in an EU Member State, we are Processing personal data in the context of an establishment in the EU, or we meet the requirements of either the targeting test or the monitoring test. Companies that must comply with the EU GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements, an order prohibiting Processing of personal data of data subjects, and potential fines for noncompliance of up to €20 million, or 4% of consolidated annual worldwide gross revenues, whichever is greater. The EU also confers a private right of action on data subjects and consumer associations to lodge complaints with supervisory authorities, seek judicial remedies, and obtain compensation for damages resulting from violations of the EU GDPR. Under the EU GDPR, we may be required to put in place additional mechanisms to ensure compliance. These include, among other things: (i) accountability and transparency requirements, and enhanced requirements for obtaining valid consent; (ii) obligations to consider data protection as any new products or services are developed, and to limit the amount of personal data Processed; (iii) obligations to implement appropriate technical and organizational measures to safeguard personal data and to report certain personal data breaches to the supervisory authority without undue delay (and no later than 72 hours where feasible); and (iv) obligations to provide individuals with various data protection rights (e.g., the right to erasure of personal data). European Data Protection Laws including the EU GDPR generally also prohibit the transfer of personal data from Europe to the United States and other countries ("third countries") that are not recognized as having "adequate" Data Protection Laws unless the parties to the transfer have implemented specific safeguards to protect the transferred personal data. One of the primary safeguards allowing U.S. companies to import personal data from Europe has historically been certification to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks administered by the U.S. Department of Commerce. However, the Court of Justice of the European Union, in the "Schrems II" ruling in 2020, invalidated the EU-U.S. Privacy Shield framework for purposes of international transfers. The Swiss Federal Data Protection and Information Commissioner also opined that the Swiss-U.S. Privacy Shield is inadequate for transfers of personal data from Switzerland to the U.S. On October 7, 2022, the U.S. President introduced an Executive Order to facilitate a new Trans-Atlantic Data Privacy Framework ("DPF"), which will act as a successor to the invalidated Privacy Shield. On July 10, 2023, the European Commission adopted an adequacy decision to reflect its view that the new Executive Order and DPF are able to meet the concerns raised in Schrems II. The US Department of Commerce has announced that companies will also immediately be able to self-certify to the UK and Swiss extensions of the DPF, but that the UK component will not be live until the finalization of the separate and ongoing UK-U.S. adequacy process. The Schrems II decision also led to a requirement for companies to carry out a transfer privacy impact assessment which, among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under SCCs will need to be implemented to ensure an essentially equivalent level of data protection to that afforded in the EU. Further to Schrems II, the European Commission adopted new EU SCCs in June 2021 which impose onerous obligations on the contracting parties and become mandatory from December 27, 2022 for all transfers made in reliance on SCCs (i.e., future and existing SCCs). As such, any transfers by us or our vendors of personal data from Europe may not comply with European Data Protection Law; may increase our exposure to the EU GDPR's heightened sanctions for violations of its cross-border data transfer restrictions; and may reduce demand from companies subject to European Data Protection Laws. Moreover, where we rely on SCCs, we must in certain cases now evaluate and implement supplementary measures that provide privacy protections additional to those provided under SCCs. This evaluation will, in particular, include an assessment as to whether the types of personal data transferred pursuant to SCCs may be subject to government surveillance in the data importer's country, and an assessment as to whether the data importer can meet its contractual obligations under the SCCs. However, entities relying on SCCs are now able to rely on the analysis in the EC's adequacy decision described above as support for their transfer impact assessments when transferring personal data to the US. Additionally, other countries outside of Europe have enacted, or are considering enacting, similar cross-border data transfer restrictions and laws requiring local data residency, which could increase the cost and complexity of delivering our products and operating our business. Compliance with the EU GDPR involves rigorous and time-intensive processes that may increase our cost of doing business or require us to change our business practices. There may also be a risk that the measures will not be implemented correctly or that individuals within the business will not be fully compliant with the required procedures. Further, following the UK's exit from the EU ("Brexit"), the EU GDPR's Data Protection Obligations continue to apply to the United Kingdom in substantially unvaried form under the so called "UK GDPR" (i.e., the EU GDPR as it continues to form part of law in England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the various Data Protection, Privacy and Electronic Communications (EU Exit) Regulations)). The UK GDPR exists alongside the UK Data Protection Act 2018 that implements certain derogations in the UK GDPR into UK law. Under the UK GDPR, companies not established in the UK but who process personal information in relation to the offering of goods or services to individuals in the UK, or to monitor their behavior, will be subject to the UK GDPR – the requirements of which are (at this time) largely aligned with those under the EU GDPR, and as such may lead to similar compliance and operational costs with potential fines of up to £17.5 million or 4% of global turnover. As a result we are potentially exposed to two parallel data protection regimes, each of which authorizes fines and the potential for divergent enforcement actions. It should also be noted that the UK Government has published its own form of EU SCCs known as the UK International Data Transfer Agreement (IDTA) together with an International Data Transfer Addendum (UK Addendum) to the new EU SCCs. The UK Information Commissioner's Office (ICO) has also published its version of the transfer impact assessment and international guidance on international transfers, although entities may choose to adopt either the EU or UK style transfer impact assessment. In terms of international data transfers between the U.K. and the U.S., as stated above, there is an ongoing UK-US adequacy process which, once finalized, will extend the DPF to apply also to transfers from the UK. Any failure or perceived failure by us to comply with applicable laws and regulations or any of our other legal obligations relating to privacy, data protection, or information security may result in governmental investigations or enforcement actions, litigation, claims, or public statements against us. Any of the foregoing could also result in significant liability or cause our customers to lose trust in us, any of which could have an adverse effect on our reputation, operations, financial performance and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products and services. In the United States, Data Protection Laws include rules and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the CCPA and other similar state comprehensive privacy laws, and other state and federal laws relating to privacy and data security. The CCPA requires companies that process information on California residents to make new disclosures to consumers about their data collection, use and selling/sharing practices, allows consumers to opt out of the sale and sharing of personal information with third parties, and provides a private right of action and statutory damages for data breaches. The CCPA, including its amendments under the CPRA, may increase our compliance costs and potential liability. Additionally, the Virginia Consumer Data Protection Act went into effect on January 1, 2023, and affords consumers similar rights to the CCPA, along with additional rights, such as the right to opt-out of processing for profiling and targeted advertising purposes. Further, Colorado and Connecticut have passed comprehensive privacy legislation, that went into effect in July 2023. Utah has similar legislation that will go into effect in 2023, there are many additional states with laws that have been enacted and will go into effect in 2024 or later, and many other states are considering their own privacy legislation. Additionally, in August 2022, the Federal Trade Commission ("FTC") announced that it is exploring rules to limit commercial surveillance that it views harmful, along with potential for additional information security regulations. New privacy laws and regulations could create the potential for a patchwork of overlapping but different privacy obligations and more stringent United States privacy requirements, which in turn could increase our potential liability and adversely affect our business, results of operations, and financial condition. Compliance with the increasing number of newly enacted privacy and data security laws and regulations may be challenging, costly and time-intensive, and we may be required to put in place additional mechanisms to comply with applicable legal requirements. Additional legislative initiatives, to the extent that they become privacy and data security laws or regulations in various states, may have potentially conflicting requirements that would make compliance challenging. Some countries also are considering or have passed legislation requiring local storage and Processing of data, or similar requirements, which could increase the cost and complexity of providing our products and services and other aspects of our business. We expect that there will continue to be new proposed laws, regulations and industry standards concerning privacy, data protection and information security in the United States and other jurisdictions, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. With laws and regulations in the EU, the United Kingdom, the United States, and other global jurisdictions imposing new and potentially costly or disruptive obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, there is a risk that the requirements of these laws and regulations, or of contractual or other obligations relating to privacy, data protection, or information security, could be interpreted or applied in a manner that is, or is alleged to be, inconsistent with our management and Processing practices, our policies or procedures, or our products and services. Given the increased focus on the use of data for advertising, the anticipation and expectation of future laws, regulations, standards and other obligations could impact us and our existing and potential business partners and delay certain business partnerships or deals until there is greater certainty. In addition, as we expand our data analytics and other data-related product offerings, there may be increased scrutiny on our use of data, and we may be subject to new and unexpected regulations, including proposals for regulation of artificial intelligence. Future laws, regulations, standards and other obligations could, for example, impair our ability to collect or use information that we utilize to provide targeted digital promotions and media to consumers, advertisers and retailers, thereby impairing our ability to maintain and grow our total customers and increase revenues. Future restrictions on the collection, use, sharing or disclosure of our users' data, or additional requirements for express or implied consent of users for the use and disclosure of such information could require us to modify our solutions, possibly in a material manner, and could limit our ability to develop or outright prohibit new solutions and features. We may face challenges in addressing the requirements of any such new laws, regulations, other legal obligations or industry standards, or any changed interpretation of existing laws, regulations or other standards and making necessary changes to our policies and practices, and such changes may require us to incur additional costs and restrict our business operations. Although we endeavor to comply with our Privacy Policies and other privacy, data protection or information security-related obligations, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees or vendors do not comply with our Privacy Policies and other privacy, data protection or information security obligations. Any failure or perceived failure by us to comply with our Privacy Policies and our privacy, data protection, or information security-related obligations to customers or other third parties, or our failure to comply with any of our other legal obligations relating to privacy, data protection, information security, marketing or consumer protection could subject us to litigation, regulatory investigations, fines or other liabilities, as well as negative publicity or public statements against us by consumer advocacy groups or others and could result in significant liability or cause a loss of trust in us, which could have an adverse effect on our reputation and business. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations, and policies that are applicable to the businesses of our customers may limit the adoption and use of, and reduce the overall demand for, our products and services. Moreover, if future laws, regulations, other legal obligations or industry standards, or any changed interpretations of the foregoing limit users', advertisers' or retailers' ability to use and share personally identifiable information or our ability to store, process and share personally identifiable information or other data, demand for our solutions could decrease, our costs could increase, our revenue growth could slow, and our business, financial condition and operating results could be harmed. Additionally, if third parties we work with, such as vendors or developers, violate Data Protection Laws, Privacy Policies and Data Protection Obligations, such violations may also put our customers' content at risk and could in turn have an adverse effect on our business. Any significant change to Data Protection Laws, Data Protection Obligations or industry practices regarding the collection, use, retention, security or disclosure of our customers' content, or regarding the manner in which the express or implied consent of customers for the collection, use, retention or disclosure of such content is obtained, could increase our costs and require us to modify our products and services, possibly in a material manner, which we may be unable to complete and which may limit our ability to store and Process customer data or develop new applications and features.

We currently generate almost all of our revenues from the United States. We also operate to a limited extent in the United Kingdom, France and other countries in Europe. Many advertisers and retailers on our platforms have global operations, and we plan to grow our operations and offerings through expansion in existing international markets and by partnering with our advertisers and retailers to enter new geographies that are important to them. For example, our plan to further expand into international markets will require management attention and resources, and we have limited experience entering new geographic markets. Entering new foreign markets will require us to localize our services to conform to a wide variety of local cultures, business practices, laws and policies. The different commercial, privacy and Internet infrastructure frameworks in other countries may make it more difficult for us to replicate our business model in non-U.S. locations. In some countries, we will compete with local companies that understand the local market better than we do, and we may not benefit from first-to-market advantages. We may not be successful in expanding into particular international markets or in generating revenues from foreign operations. As we expand internationally, we will be subject to risks of doing business internationally, including the following: - competition with strong local competitors and preference for local providers, or competition with foreign companies entering the same markets;- the cost and resources required to localize our platforms;- burdens of complying with a wide variety of different laws and regulations, including intellectual property laws and regulation of digital coupons and media, Internet services, privacy and data protection; marketing and consumer protection laws; anti-competition regulations; and different liability standards, any of which may limit or prevent us from offering of our solutions in some jurisdictions or limit our ability to enforce contractual obligations;- differences in how trade marketing spend is allocated;- differences in the way digital promotions and media are delivered and how consumers access and use digital promotions;- technology compatibility;- difficulties in recruiting and retaining qualified employees and managing foreign operations;- different employee/employer relationships and the existence of workers' councils and labor unions;- shorter payment cycles, different accounting practices and greater problems in collecting accounts receivable;- higher product return rates;- seasonal reductions in business activity;- adverse tax effects and foreign exchange controls making it difficult to repatriate earnings and cash; and - political and economic instability. Our planned corporate structure and intercompany arrangements will be implemented in a manner we believe is in compliance with current prevailing tax laws. However, the tax benefits which we intend to eventually derive could be undermined if we are unable to adapt the manner in which we operate our business in response to changing tax laws. Our failure to manage these risks and challenges successfully could materially and adversely affect our business, financial condition and results of operations.

As an industry-leading digital promotions and media company we compete for executive sales, engineering and other talent in a highly competitive environment against large, well-established technology companies and well-funded start-ups, which have significantly greater financial and other resources than we do. If we do not succeed in attracting, hiring and integrating qualified personnel, or motivating and retaining existing personnel, we may be unable to grow effectively and our operating results may be harmed. We initiated reduction-in-force actions in each of July 2022, which impacted 7% of our global workforce, and in November 2022, which impacted 9% of our global workforce. At present we have imposed limits on new hiring. As we continue pursuing our current business transformation strategy, which includes a focus on cost management, we may undergo further restructuring initiatives. Following the easing of the COVID-19 pandemic restrictions in 2021 and continuing thereafter, we have experienced higher employee attrition and an increasingly competitive market for talent. Factors such as turnover within our executive leadership ranks during 2022 and in early 2023, the significant decline in our stock price during the past several quarters, uncertainty surrounding the Proposed Acquisition, and continuing industry demand for talent in certain key areas collectively have made it challenging for us to retain talent as well as backfill vacant certain roles with qualified new hires. In addition, if changes in our business such as the transformation of our business strategy and business model and the related operational changes in various areas of our business, cause us to continue to experience a higher-than-anticipated attrition in certain key areas of our business or if we are unable to hire and ramp up new talent quickly enough to materially meet operational needs, particularly in key product areas such as consumer and key functional areas such as engineering and sales, our results of operations could be negatively impacted. We may be limited in our ability to recruit global talent by U.S. immigration laws, including those related to H1-B visas. The demand for H1-B visas to fill highly-skilled technology and computer science jobs is greater than the number of H1-B visas available each year. To the extent that the immigration-related regulatory environment, including H1-B visa availability, hampers our ability to recruit, hire and retain qualified skilled personnel, our business, operating results and financial condition could be adversely impacted.

We generally pay a distribution fee to retailer and publisher partners in our network when we deliver media and promotions on their digital properties or through their loyalty programs. We also pay fees to retailers for use of their data to power our platforms. Such fees have increased as a percentage of our revenue in recent periods. As we renew agreements or enter into new ones, we may face pressure to pay higher distribution fees. If such fees continue to increase, our cost of revenue could increase and our operating results would be adversely affected. In addition, calculations of such fees are complex and if network partners disagree with our calculations in an audit, the result of such disagreement could have an adverse impact on our business. In addition, some of our agreements with retailers include certain upfront fees/payments or guaranteed distribution fees, which, in some cases, may apply to multiple annual periods. If the adoption and usage of our platforms do not meet projections or minimums, these fees may not be recoverable and any shortfall, if applicable, may be payable by us at the end of the applicable period. We consider various factors in our assessment of whether these upfront or guaranteed distribution fees may not be recoverable, including our historical experience with the transaction volumes through the retailer and comparative retailers, ongoing communications with the retailer to increase its marketing efforts to promote our digital platforms, as well as the projected revenue and associated revenue share payments.