Warby Parker (WRBY) Risk Analysis

We collect, process, store, and use a wide variety of data from current and prospective customers, including personal and sensitive information, such as home addresses and geolocation, and health information related to their ophthalmic prescriptions, as well as our employees and service providers. As such, we are subject to various federal, state, local, and international laws, rules, and regulations, as well as industry standards and regulatory guidance, relating to the collection, receipt, use, maintenance, storage, use, retention, security, disclosure, transfer and other processing of confidential, sensitive, and personal information. In addition, existing laws and regulations are constantly evolving, and new laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally. Many state legislatures have adopted legislation that regulates how businesses handle personal information, including measures relating to privacy, data security, and data breaches. Such legislation includes the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), which imposes obligations on businesses that process personal information of California residents. Among other things, the CCPA: requires disclosures to such residents about the data collection, use and disclosure practices of covered businesses; gives California residents expanded rights related to their personal information, including the right to access, correct and delete their personal information, and opt-out for certain sales or transfers of personal information for cross-context behavioral advertising and for profiling and automated decision making in furtherance of decisions that produce legal or similarly significant effects; provides new audit requirements for higher risk data; provides for civil penalties for violations, and creates a private right of action for data breaches that is expected to increase data breach litigation. Similar laws have been enacted in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. To the extent multiple state-level laws are introduced with inconsistent or conflicting standards and there is no federal law to preempt such laws, compliance with such laws could be difficult and costly to achieve and we could be subject to fines and penalties in the event of actual or perceived non-compliance. Additionally, we are subject to certain health information privacy and security laws as a result of the health information that we receive in connection with our products and services. These laws and regulations include HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act, or HITECH, and their implementing regulations. HIPAA requires us to develop and maintain policies and procedures governing protected health information ("PHI") that is used or disclosed, and to implement administrative, physical and technical safeguards to protect PHI, including PHI maintained, used, and disclosed in electronic form. These safeguards include employee training, identifying business associates with whom covered entities need to enter into HIPAA-compliant contractual arrangements and various other measures. Ongoing implementation and oversight of these measures involves significant time, effort, and expense and we may have to dedicate additional time and resources to ensure compliance with HIPAA requirements. Additionally, it is not always possible to identify and deter misuse by our employees and other third parties, and the precautions we take to detect and prevent noncompliance may not be effective in preventing all misuse, breaches, or violations. For example, as discussed above, in 2018, we experienced a credential stuffing attack in which malicious third parties used credentials compromised in data breaches suffered by other companies to access accounts on our platform and received notice that OCR would be investigating the incident and our compliance with the Privacy, Security, and Breach Notification Rules and requesting certain information related to the incident and our compliance with the Privacy, Security, and Breach Notification Rules. The Company paid a civil monetary penalty to OCR in December 2024 and the investigation was formally closed in February 2025. HIPAA imposes mandatory civil and criminal penalties for certain violations. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. While HIPAA does not create a private right of action that would allow individuals to sue in civil court for a HIPAA violation, its standards have been used as the basis for the duty of care in state civil suits, such as those for negligence or recklessness in misusing personal information. Many states in which we operate and in which our customers reside also have laws that protect the privacy and security of health information, many of which differ from each other in significant ways and often are not preempted by HIPAA, thus complicating compliance efforts. For example, Washington has adopted the My Health My Data Act, a privacy law that imposes new state restrictions and requirements on the processing and sale of consumer health data and creates a private right of action, which took effect as to the substantial majority of the legislation in March 31, 2024. Where state laws are more protective than HIPAA, we have to comply with the stricter provisions, absent statutory exemptions. Whether and how these exemptions will be applied under new laws such as the My Health My Data Act and the CCPA and CPRA is an unsettled area of law. In addition to fines and penalties imposed upon violators, some of these state laws also afford private rights of action to individuals who believe their personal information has been misused, such as the CCPA and CPRA. In addition, laws, regulations, and standards covering marketing, advertising, and other activities conducted by telephone, email, mobile devices, and the internet may be or become applicable to our business, including consumer protection and communication privacy laws. For example, the Telephone Consumer Protection Act, or TCPA, imposes significant restrictions on the ability to make telephone calls or send text messages to mobile telephone numbers without the prior consent of the person being contacted. Claims that we have violated the TCPA could be costly to litigate, and if successful, expose us to substantial statutory damages. Foreign privacy laws are also rapidly changing, have become more stringent in recent years, and may increase the costs and complexity of offering our offerings in new geographies. In Canada, where we operate, the Personal Information Protection and Electronic Documents Act, or PIPEDA, and various provincial laws require that companies give detailed privacy notices to consumers, obtain consent to use personal information, with limited exceptions, allow individuals to access and correct their personal information, and report certain data breaches. In addition, Canada's Anti-Spam Legislation, or CASL, prohibits email marketing without the recipient's consent, with limited exceptions. Failure to comply with PIPEDA, CASL, or provincial privacy or data protection laws could result in significant fines and penalties or possible damage awards. In the event we expand to the European Economic Area, we may become subject to the General Data Protection Regulation, or the GDPR, which imposes strict obligations on the ability to collect, analyze, transfer, and otherwise process personal data and the UK has a similar law. The GDPR provides for monetary penalties and companies may also face civil claims including representative actions and other class action type litigation (where individuals have suffered harm), potentially amounting to significant compensation or damages liabilities, as well as associated costs, diversion of internal resources, and reputational harm. Furthermore, regulatory guidance is evolving and monitoring developments and compliance will lead to increased costs. In addition, privacy advocates and industry groups have regularly proposed, and may propose in the future, self-regulatory standards by which we are legally or contractually bound. If we fail to comply with these contractual obligations or standards, we may face substantial liability or fines. Consumer resistance to the collection and sharing of the data used to deliver targeted advertising, increased visibility of consent or "do not track" mechanisms as a result of industry regulatory or legal developments, the adoption by consumers of browser settings or "ad-blocking" software, and the development and deployment of new technologies could materially impact our ability to collect data or reduce our ability to deliver relevant promotions or media, which could materially impair the results of our operations. Further, we are subject to the Payment Card Industry Data Security Standard ("PCI"), which is a multifaceted security standard that is designed to protect cardholder data as mandated by by the Payment Card Industry Security Standards Council. We work with our merchant services providers to ensure PCI compliance across our payment processing channels. Despite our compliance efforts, in the event of a breach of the security of payment card data, we may become subject to claims that we have violated the PCI based on past, present, and future business practices, which could have an adverse impact on our business and reputation. In addition, we are subject to the risk of changes to or disruption in our providers' service. Costs and potential problems and interruptions associated with the implementation of new or upgraded systems and technology such as those necessary to achieve compliance with the PCI or with maintenance or adequate support of existing systems could also disrupt or reduce the efficiency of our operations. Any material interruptions or failures in our payment-related systems could have a material adverse effect on our business, financial condition, and results of operations. If there are amendments to the PCI, the cost of re-compliance could also be substantial and we may suffer loss of critical data and interruptions or delays in our operations as a result. If we or are service providers are unable to comply with the security standards established by banks and the payment card industry, we may be subject to fines, restrictions and expulsion from card acceptance programs, which could materially and adversely affect our business. Compliance with these domestic, foreign, and any other applicable privacy and data security laws and regulations is a rigorous and time-intensive process, and we may be required to put in place additional mechanisms to ensure compliance with the new data protection rules. Despite our efforts, we may not be successful in achieving compliance with the rapidly evolving privacy, data security, and data protection requirements discussed above. Emerging technologies we utilize, including artificial intelligence and machine learning, may also become subject to regulation under new laws or new applications of existing laws. While we strive to comply with applicable laws and regulations relating to privacy and data protection in all material respects, there is no assurance that we will not be subject to claims that we have violated applicable laws or codes of conduct, that we will be able to successfully defend against such claims or that we will not be subject to significant fines, penalties, or corrective action requirements in the event of non-compliance. Any actual or perceived non-compliance could result in litigation and proceedings against us by governmental entities, customers or others, fines and civil or criminal penalties, limited ability or inability to operate our business, offer services, or market our business in certain jurisdictions, negative publicity and harm to our brand and reputation, and reduced overall demand for our products and services. Such occurrences could adversely affect our business, financial condition, and results of operations. Our general liability insurance may not cover all potential claims to which we are exposed and may not be adequate to indemnify us for the full extent of our potential liabilities.

Stockholders of a Delaware public benefit corporation (if they, individually or collectively, own the lesser of 2% of its outstanding capital stock or shares of at least $2 million in market value) are entitled to file a derivative lawsuit claiming that its directors failed to balance stockholder and public benefit interests. This potential liability does not exist for traditional corporations. Therefore, we may be subject to the possibility of increased derivative litigation, which would require the attention of management and, as a result, may adversely impact management's ability to effectively execute our strategy. Any such derivative litigation may be costly and have an adverse impact on our business operations, financial conditions, and results of operations.

Due to the global nature of the internet, it is possible that various states, municipalities or foreign countries might, as a consequence of their review of the appropriate treatment of companies engaged in e-commerce and digital services, attempt to impose additional or new regulation on our business or levy additional or new sales, income, or other taxes on us or our customers. For example, following the U.S. Supreme Court's 2018 decision in South Dakota v. Wayfair Inc., which held, among other things, that a state may require an out-of-state seller with no physical presence in the state to collect and remit sales taxes on goods the seller ships to consumers in the state, many states have adopted Wayfair laws requiring remote sellers to collect and pay sales tax based on transactions that take place in their jurisdiction. Other new or revised taxes and, in particular, digital taxes, sales taxes, VAT, and similar taxes could increase the cost of doing business online and decrease the attractiveness of selling products over the internet. New taxes and related rulings and regulations could also create significant increases in internal costs necessary to capture data and collect and remit taxes. Any of these events could have a material adverse effect on our business, financial condition, and operating results.

In addition to the importance of their financial performance, investors, employees, customers, governmental and regulatory bodies and other stakeholders or third parties are increasingly judging companies by their performance on a variety of environmental, social, and governance, or ESG, matters, which are considered to contribute to the long-term sustainability of companies' performance. A variety of organizations and stakeholders measure the performance of companies on such ESG topics, and the results of these assessments are widely publicized. Topics taken into account in such assessments include, among others, the company's efforts and impacts on climate change and human rights or labor conditions, ethics and compliance with law, and governance considerations, including the role of the company's board of directors in supervising various ESG issues. We may face heightened scrutiny on such ESG topics given our status as a public benefit corporation and certified B corporation. In addition to the topics typically considered in such assessments, in the healthcare industry, issues of the public's ability to access our products and solutions are of particular importance. Further, as investor and other stakeholder expectations and ESG disclosure standards and policies continue to evolve, so do our public disclosures in these areas. Such disclosures may reflect aspirational goals and other expectations and assumptions, which are necessarily uncertain and may not be realized. Failure to realize (or timely achieve progress on) such aspirational goals could adversely affect our third party ESG ratings, our reputation or otherwise adversely affect us. Simultaneously, there are efforts by some parties, including but not limited to investors, environmental activists, policymakers, the media and governmental authorities and nongovernmental organizations, to reduce companies' efforts on certain ESG-related matters. Both advocates and opponents to certain ESG matters are increasingly resorting to a range of activism forms, including media campaigns and litigation, to advance their perspectives. To the extent we are subject to such activism, it may require us to incur costs or otherwise adversely impact our business. Furthermore, if we do not successfully manage diverging ESG-related expectations across stakeholders, it could erode stakeholder trust, impact our reputation, subject us to investigation, litigation or shareholder activism, and adversely affect our business, financial condition, results of operations and cash flows. In addition, various regulatory authorities have imposed, and may continue to impose, mandatory substantive or disclosure requirements with respect to ESG and sustainability matters. For example, we may be subject to various disclosure requirements (such as information on greenhouse gas emissions, climate risks, use of carbon offsets, and emissions reduction claims) from the State of California, including SB 253 and SB 261, as well as the SEC's climate disclosure rules, pending the outcome of current litigation and stay, and the International Sustainability Standards Board's sustainability and climate standards (which have been adopted or are pending adoption in some form by various jurisdictions, including Canada) among other current or future regulations or requirements. These requirements may not always be uniform across jurisdictions, which may result in increased complexity, and cost, for compliance, as well as could lead to increased litigation risks related to disclosures made pursuant to these regulations and/or legal requirements, any of which could materially and adversely affect our financial performance. Any of the foregoing may require us to make additional investments in facilities and equipment, require us to incur additional costs for the collection of data and/or preparation of disclosures and associated internal controls, may impact the availability and cost of key raw materials used in the production of our products or the demand for our products, and, in turn, may adversely impact our business, operating results, and financial condition. Additionally, many of our suppliers and business partners may be subject to similar requirements, which may augment or create additional risks, including risks that may not be known to us. In light of investors' and regulators' increased focus on ESG matters, there can be no certainty that we will manage such issues successfully, or that we will successfully meet our customers' or society's expectations as to our proper role. If we fail, or are perceived to fail, to meet the ESG values, standards and metrics that we set for ourselves, or our articulated public benefit purposes, or if we fail to meet regulatory requirements for ESG disclosures, we may experience negative publicity and a loss of customers, employees, or suppliers or be subject to regulatory fines or penalties or litigation, which will adversely affect our business, financial condition, and results of operations. See "-Risks Related to Our Existence as Public Benefit Corporation."

Our operations depend on our ability to offer eye exams for glasses and contact lenses. Our ability to hire optometrists, opticians, and other vision care professionals and/or contract with optometrists or independent professional corporations or similar entities that employ optometrists for our retail stores that offer such eye exams is important to our operations as well as our growth strategy, but there is no assurance that we will be successful in recruiting such professionals. Furthermore, our operations are subject to state licensing laws and many states require that opticians be licensed to dispense and fit glasses and contact lenses. Our ability to attract and retain optometrists, opticians and other vision care professionals and/or contract with optometrists or independent professional corporations or similar entities that employ optometrists depends on several factors. We compete with other optical retail companies, health systems and group practices for vision care professionals. We, as well as the professional corporations or similar entities that employ optometrists in certain of our retail stores, could face difficulties attracting and retaining qualified professionals if we or such corporations fail to offer competitive compensation and benefits. Increased compensation for vision care professionals could raise our costs and put pressure on our margins. The loss of or the inability by us or our affiliated professional entities to foster new relationships with such vision care professionals could impair our ability to provide services to our customers and/or cause our customers to go elsewhere for their optical needs. A change to any of the foregoing relationships could have a material adverse effect on our business, financial condition, and results of operations.

Amazon Web Services, or AWS, is a third-party provider of cloud infrastructure services. We outsource substantially all of our core architecture to AWS. AWS provides the cloud computing infrastructure we use to host our website and mobile applications, serve our customers and support our operations and many of the internal tools we use to operate our business. Our website, mobile applications and internal tools use computing, storage, data transfer, and other functions and services provided by AWS. We do not have control over the operations of the facilities of AWS that we use. AWS' facilities may be vulnerable to damage or interruption from earthquakes, hurricanes, floods, fires, cybersecurity attacks, terrorist attacks, power losses, telecommunications failures, and other events beyond our control. In the event that AWS' or any other third-party provider's systems or service abilities are hindered by any of the events discussed above, particularly in a region where our website is mainly hosted, our ability to operate our business may be impaired. A decision to close the facilities without adequate notice or other unanticipated problems or disruptions could result in lengthy interruptions to our business. All of the aforementioned risks may be exacerbated if our business continuity and disaster recovery plans prove to be inadequate. Additionally, data stored with AWS may experience threats or attacks from computer malware, ransomware, viruses, social engineering (including phishing attacks), denial of service or other attacks, employee theft or misuse, and general hacking. Any of these security incidents could result in unauthorized access to, damage to, disablement or encryption of, use or misuse of, disclosure of, modification of, destruction of, or loss of our data or our customers' data or disrupt our ability to provide our products and services, including due to any failure by us to properly configure our AWS environment. Our business' continuing and uninterrupted performance is critical to our success. Customers may become dissatisfied by any system failure that interrupts our ability to provide our products and services to them. We may not be able to easily switch our AWS operations to another cloud or other data center provider if there are disruptions or interference with our use of AWS, and, even if we do switch our operations, other cloud and data center providers are subject to the same risks. Sustained or repeated system failures would reduce the attractiveness of our products and services, thereby reducing net revenue. Moreover, negative publicity arising from these types of disruptions could damage our reputation and may adversely impact our business. Our customer agreement with AWS remains in effect until (i) terminated for convenience, which we may do for any reason by providing AWS notice and closing our account and which AWS may do for any reason by providing us at least 30 days' notice or (ii) terminated for cause, which either party may do if the other party has an uncured material breach and which AWS may do immediately upon notice. AWS does not have an obligation to renew its agreements with us on terms acceptable to us. Although alternative data center providers could host our business on a substantially similar basis to AWS, transitioning the cloud infrastructure currently hosted by AWS to alternative providers could potentially be disruptive, and we could incur significant one-time costs. If we are unable to renew our agreement with AWS on commercially acceptable terms, our agreement with AWS is prematurely terminated, or we add additional infrastructure providers, we may experience costs or downtime in connection with the transfer to, or the addition of, new data center providers. If AWS or other infrastructure providers increase the costs of their services, our business, financial condition, or results of operations could be materially and adversely affected.

Meeting customer demand partially depends on our ability to obtain timely and adequate delivery of components for our products and services. All of the components that go into the manufacturing of our products and services are sourced from a limited number of third-party suppliers predominantly in the U.S., China, Italy, Vietnam, and Japan, and, in particular, over half of the cellulose acetate used to produce many of our frames is provided by a single supplier. Aside from the cellulose acetate that we source ourselves, our contract manufacturers purchase many of these components on our behalf, including sun lenses, demo lenses, hinge and core kits, and branded logos, subject to certain approved supplier lists, and we do not have long-term arrangements with most of our component suppliers. We are therefore subject to the risk of shortages and long lead times in the supply of these components and the risk that our suppliers discontinue or modify components used in our products. In addition, the lead times associated with certain components are lengthy and preclude rapid changes in design, quantities, and delivery schedules. Our ability to meet temporary unforeseen increases in demand has been, and may in the future be, impacted by our reliance on the availability of components from these sub-suppliers. We may in the future experience component shortages, and the predictability of the availability of these components may be limited, which may be heightened in the event of global supply chain disruption. In the event of a component shortage or supply interruption from suppliers of these components, we may not be able to develop alternate sources in a timely manner. Developing alternate sources of supply for these components may be time-consuming, difficult, and costly, and we may not be able to source these components on terms that are acceptable to us, or at all, which may undermine our ability to fill our orders in a timely manner. Any interruption or delay in the supply of any of these parts or components, or the inability to obtain these parts or components from alternate sources at acceptable prices and within a reasonable amount of time, would harm our ability to timely ship our products to our customers. See "-We face risks associated with suppliers from whom our products are sourced and are dependent on a limited number of suppliers." In addition, substantially all of our components are shipped directly from our contract manufacturers to our optical laboratories in the United States or our third-party optical laboratories in the United States and China, where lenses are cut and mounted into frames. These laboratories process most of the glasses ordered by our customers. Once processed at the laboratories, the finished products are then sorted and shipped using third-party carriers to our retail stores for customer pickup or directly to our customers. Our glasses frames for our Home Try-On program are shipped directly from our contract manufacturers to our third-party distribution center in the United States for shipment directly to our customers. We depend in large part on the orderly operation of this distribution process, which depends, in turn, on adherence to shipping schedules and effective management of our optical laboratory network and third-party distribution center. Increases in transportation costs (including increases in fuel costs), issues with overseas shipments, supplier-side delays, reductions in the transportation capacity of carriers, labor strikes or shortages in the transportation industry, disruptions to the national and international transportation infrastructure, and unexpected delivery interruptions or delays also have the potential to derail our distribution process. Moreover, volatile economic conditions may make it more likely that our suppliers and logistics providers may be unable to timely deliver supplies, or at all, and there is no guarantee that we will be able to timely locate alternative suppliers of comparable quality at an acceptable price. In addition, international supply chains have been and may in the future be impacted by events outside of our control, including but not limited to global pandemics and geopolitical conflicts, and limit our ability to procure timely delivery of supplies or finished goods and services. We face additional risks related to the optical laboratory we contract with in China and suppliers in China, including port of entry risks such as longshoremen strikes, import restrictions, foreign government regulations, trade restrictions, customs, and duties. We source components from suppliers located in China. In recent years, the U.S. government has implemented tariffs on specified products imported into the United States from China and, as a result, costs with respect to our products subject to these tariffs have increased. In February 2025, the U.S. government imposed additional tariffs on imports from China and announced and subsequently paused implementation of tariffs on imports from Canada and Mexico. These additional tariffs or any future tariffs, as well as a government's adoption of "buy national" policies or retaliation by another government against such tariffs or policies have introduced significant uncertainty into the market. We have implemented mitigation plans and continue to focus on additional mitigation strategies to offset the impact of tariffs, including by continuing to diversify our supplier base in locations outside of China. If we are unable to mitigate the full impact of current and future tariffs or if there is a further escalation of tariffs, costs on a significant portion of our products may increase further, which could reduce our margins or force us to raise prices, and our financial results may be negatively affected. Further increases in China tariffs will impact our business, and our financial results may also be impacted by any resulting economic slowdown. The inability to fulfill, or any delays in processing, customer orders through our optical laboratory network or any quality issues could result in the loss of customers, issuances of refunds or credits, and may also adversely affect our reputation. The success of our retail stores and e-commerce sales depends on the timely receipt of products by our customers and any repeated, intermittent or long-term disruption in, or failures of, the operations of our distribution center and/or optical laboratories could result in lower sales and profitability, a loss of loyalty to our brands, and excess inventory. The insurance we maintain for business interruption may not cover all risk, or be sufficient to cover all of our potential losses, may not continue to be available to us on acceptable terms, if at all, and any insurance proceeds may not be paid to us in a timely manner. Furthermore, increases in compensation, wage pressure, and other expenses for our employees, may adversely affect our profitability. Increases in minimum wages and other wage and hour regulations can exacerbate this risk. These cost increases may be the result of inflationary pressures which could further reduce our sales or profitability. Increases in other operating costs, including changes in energy prices and lease and utility costs, may increase our cost of products sold or selling, general, and administrative expenses. Inflationary pressures could also increase the costs of acquiring goods from our suppliers and the costs of transporting those goods. Our competitive price model and pricing pressures in the optical retail industry may inhibit our ability to reflect these increased costs in the prices of our products, in which case such increased costs could have a material adverse effect on our business, financial condition, and results of operations.

Our success depends, in a large degree, on our ability to attract consumers to our website, mobile applications, and select application partners and convert them into customers in a cost-effective manner. We depend, in large part, on search engines, social media platforms, digital application stores, content-based online advertising, and other online sources for traffic to our website, mobile applications, and select application partners. With respect to search engines, we are included in search results as a result of both paid search listings, where we purchase specific search terms that result in the inclusion of our advertisement, and free search listings, which depend on algorithms used by search engines. For paid search listings, if one or more of the search engines or other online sources on which we rely for purchased listings modifies or terminates its relationship with us, our expenses could rise, we could lose consumers and traffic to our website could decrease, any of which could have a material adverse effect on our business, financial condition, and results of operations. Further, our competitors bid on terms like "Warby Parker" as paid keywords, and consumers searching for us could instead by directed to a third-party's website, which could lead to reduced traffic to our website, which may have a material adverse effect on our business, financial condition, and results of operations. For free search listings, if search engines on which we rely for algorithmic listings modify their algorithms, our websites may appear less prominently or not at all in search results, which could result in reduced traffic to our websites. Our ability to maintain and increase the number of consumers directed to our products from digital platforms is not entirely within our control. Search engines, social media platforms, and other online sources often revise their algorithms and introduce new advertising products. If one or more of the search engines or other online sources on which we rely for traffic to our website and our mobile app were to modify its general methodology for how it displays our advertisements or keyword search results, resulting in fewer consumers clicking through to our website and our mobile applications, our business and operating results are likely to suffer. For example, Apple has moved to "opt-in" privacy models, requiring consumers to expressly consent to receiving targeted ads, which may reduce the value of inventory on its iOS mobile application platform. In addition, if our online display advertisements are no longer effective or are not able to reach certain consumers due to consumers' use of ad-blocking software, our business and operating results could suffer. Furthermore, changes in consumer acceptance or usage of our online sources for traffic could adversely impact the effectiveness of our advertising. Additionally, changes in regulations could limit the ability of search engines and social media platforms, including, but not limited to, Google and Meta, to collect data from users and engage in targeted advertising, making them less effective in disseminating our advertisements to our target customers. If the costs of advertising on search engines and social media platforms increase, we may incur additional marketing expenses or be required to allocate a larger portion of our marketing spend to other channels and our business and operating results could be adversely affected. The marketing of our products depends on our ability to cultivate and maintain cost-effective and otherwise satisfactory relationships with digital application stores. As we grow, we may struggle to maintain cost-effective marketing strategies, and our customer acquisition costs could rise substantially, particularly if our customer mix skews towards fewer repeat purchases by existing customers and more new customers that require higher costs to acquire. Furthermore, because many of our customers access our products through our mobile applications, we depend on the Apple App Store and Google Play to distribute our mobile applications. Apple and Google have broad discretion to change their respective terms and conditions applicable to the distribution of our mobile applications, to interpret their respective terms and conditions in ways that may limit, eliminate or otherwise interfere with our ability to distribute mobile app through their stores, the features we provide and the manner in which we market in-application products. We cannot assure you that Apple or Google will not limit, eliminate or otherwise interfere with the distribution of our mobile applications, the features we provide and the manner in which we market our mobile applications. To the extent it does so, our business, financial condition, and results of operations could be adversely affected.

Third parties may assert claims against us alleging that we infringe upon, misappropriate, dilute or otherwise violate their intellectual property rights, particularly as we expand our business and the number of products we offer. These risks have been amplified by the increase in third parties whose sole or primary business is to assert such claims. We may be particularly vulnerable to such claims, as companies having a substantial online presence are frequently subject to litigation based on allegations of infringement or other violations of intellectual property rights. As we gain an increasingly high public profile, the possibility of intellectual property rights claims against us grows. Our competitors and others may now and in the future have significantly larger and more mature patent portfolios than us. We rely on contracts and releases for ownership of copyrighted materials and the right to use images of individuals on our webpage and marketing material, and we may be subject to claims that we did not properly obtain rights, consent, a release, or permission to use certain content or imagery. Many potential litigants have the ability to dedicate substantial resources to the assertion of their intellectual property rights. Any claim of infringement by a third party, even those without merit, could cause us to incur substantial costs defending against the claim, could distract our management from our business, could require us to cease use of such intellectual property, and could create ongoing obligations if we are subject to agreements or injunctions (stipulated or imposed) preventing us from engaging in certain acts. Furthermore, because of the substantial amount of discovery required in connection with intellectual property litigation, we risk compromising our confidential information during this type of litigation. Our defense of any claim, regardless of its merit, could be expensive and time consuming and could divert management resources. We cannot predict the outcome of lawsuits and cannot ensure that the results of any such actions will not have an adverse effect on our business, financial condition, or results of operations. Successful infringement claims against us could result in significant monetary liability or prevent us from selling some of our products. In addition, resolution of claims may require us to redesign or rebrand our products, license rights from third parties on potentially unfavorable terms, cease using certain brand names or other intellectual property rights altogether, make substantial payments for royalty or license fees, legal fees, settlement payments or other costs or damages, or admit liability. Such outcomes could encourage others to bring claims against us. To the extent we seek a license to continue offerings or operations found or alleged to infringe third-party intellectual property rights, such a license may be non-exclusive, and therefore our competitors may have access to the same technology licensed to us. In the event we are required to develop alternative, non-infringing technology, this could require significant time (during which we would be unable to continue to offer our affected offerings), effort and expense, and may ultimately not be successful. Any of these events could harm our business and cause our results of operations, liquidity, and financial condition to suffer.

We use third-party open-source software in connection with the development and deployment of our software applications. From time to time, companies that use third-party open-source software have faced claims challenging the use of such open-source software and their compliance with the terms of the applicable open-source license. We may be subject to suits by parties claiming ownership of what we believe to be open-source software or claiming non-compliance with the applicable open-source licensing terms. Some open-source licenses require end-users who distribute or make available across a network software and services that include open-source software to make available all or part of such software, which in some circumstances could include valuable proprietary code. While we employ practices designed to monitor our compliance with the licenses of open-source software and try to ensure that we do not use any of the open-source software in a manner that would require us to disclose our proprietary source code, we cannot guarantee that we will be successful. We cannot guarantee that all open-source software is reviewed prior to use in our platform, or that our developers have not incorporated (and will not in the future incorporate) open-source software into our products without our knowledge. Furthermore, there are an increasing number of open-source software license types, almost none of which have been tested in a court of law, resulting in a dearth of guidance regarding the proper legal interpretation of such licenses. As a result, there is a risk that open-source software licenses could be construed in a manner that imposes unanticipated conditions or restrictions on our ability to market or provide our products and services. If we were to receive a claim of non-compliance with the terms of any of our open-source licenses, we may be required to publicly release certain portions of our proprietary source code or expend substantial time and resources to re-engineer some or all of our software. In addition, the use of third-party open-source software typically carries greater technical and legal risks than the use of third-party commercial software because open-source licensors generally do not provide support, warranties, or controls on the functionality or origin of the software. To the extent that our platform depends upon the successful operation of open-source software, any undetected errors or defects could prevent the deployment or impair the functionality of our systems and injure our reputation. Use of open-source software may also present additional security risks because the public availability of such software may make it easier for hackers and other third parties to compromise our platform. Any of the foregoing could be harmful to our business, financial condition, or results of operations, and could help our competitors develop offerings that are similar to or better than ours.