AppLovin (APP) Risk Analysis

We receive, store, and process personal information and other data, including data relating to individuals and households, and we enable our users to share their personal information with each other and with third parties. Numerous federal, state, and local laws around the world address privacy and the collection, storing, sharing, use, disclosure, deletion, protection, and other processing of personal information and other data, including data relating to individuals and households, the scope of which are changing, subject to differing interpretations, and may be inconsistent between jurisdictions or conflict with other obligations. Various government and consumer agencies have called for, or sought to implement, new regulation and changes in industry practices relating to the collection and processing of information concerning consumer behavior, including by restricting certain targeted advertising practices. For example, the GDPR, which became effective in May 2018, created new individual privacy rights and imposed worldwide obligations on companies processing personal data of European Union ("EU") users, which has created a greater compliance burden for us and other companies with European users, and subjects violators to substantial monetary penalties. For example, the GDPR and other similar regulations require companies to give specific types of notice and in some cases seek consent from data subjects to collect and use their data for certain purposes, including interest-based advertising. The United Kingdom has implemented legislation that substantially implements the GDPR and which also provides for substantial monetary penalties. In June 2021, the European Commission announced a decision of "adequacy" concluding that the United Kingdom ensures an equivalent level of data protection to the GDPR, which generally permits personal data flows from the European Economic Area ("EEA") to the United Kingdom. Such adequacy decision must, however, be renewed in 2025 and may be modified or revoked in the interim. In June 2025, the United Kingdom enacted targeted modifications to its data protection framework that cause it to deviate from the GDPR in certain respects. These amendments may impact the European Commission's views with respect to its adequacy decision regarding the UK's data protection regime. We cannot fully predict how United Kingdom data protection laws or regulations may develop in the medium to longer term, nor the impacts of divergent laws and guidance regarding EU and United Kingdom data protection law. With regard to transfers to the United States of personal data from our employees and European users and other third parties, we historically relied upon the EU-U.S. and Swiss-U.S. Privacy Shield programs as well as standard contractual clauses approved by the EU Commission (the "SCCs"); however, the EU-U.S. Privacy Shield and the SCCs have been subject to legal challenge, and on July 16, 2020, the Court of Justice of the EU held in the Schrems II case that the EU-U.S. Privacy Shield was invalid, and imposed obligations in connection with use of the SCCs. EU regulators also have issued guidance that we and other companies must consider and undertake when using the SCCs. On June 4, 2021, the European Commission adopted new SCCs to reflect GDPR requirements. The United Kingdom's Information Commissioner's Office also has issued new standard contractual clauses for which implementation is required. Further, the Austrian, French, Italian, and Danish data protection authorities have indicated that use of Google Analytics by European website operators involves the unlawful transfer of personal data to the United States. In March 2022, the EU and U.S. agreed in principle upon a new EU-U.S. Data Privacy Framework ("EU-U.S. DPF"). On July 10, 2023, the European Commission adopted an adequacy decision in relation to the EU-U.S. DPF, allowing it to be used to legitimize EU-U.S. personal data transfers for participating entities. The United Kingdom and U.S. also have established a UK Extension to the EU-U.S. DPF (the "UK Extension"), effective October 12, 2023, whereby entities participating in the EU-U.S. DPF, may rely upon the UK Extension to legitimize United Kingdom-U.S. personal data transfers. Further, on July 17, 2023, the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF"), which provides for a means of legitimizing personal data transfers from Switzerland to the U.S., entered into effect. We are self-certified under the EU-U.S. DPF, Swiss-U.S. DPF, and the UK Extension. The EU-U.S. DPF has faced legal challenge, and it and the Swiss-U.S. DPF and UK Extension may be subject to further legal challenges. The European Commission's adequacy decision regarding the EU-U.S. DPF provides that the EU-U.S. DPF will be subject to future reviews and may be subject to suspension, amendment, repeal, or limitations to its scope by the European Commission. The SCCs and other cross-border data transfer mechanisms may also be the subject of additional legislative activity and regulatory guidance. We and many other companies may need to implement different or additional measures to establish or maintain legitimate means for the transfer and receipt of personal data from the EEA, Switzerland, the United Kingdom, or other jurisdictions to the United States, and we may, in addition to other impacts, experience additional costs associated with increased compliance burdens, and we and our clients face the potential for regulators to apply different standards to the transfer of personal data from various jurisdictions to the United States, and to block, or require ad hoc verification of measures taken with respect to, certain data flows. We also may find it necessary to engage in contract negotiations with third parties that aid in processing data on our behalf, to address cross-border data transfer matters. We may not be able to find alternative service providers which could limit our ability to process personal data from impacted jurisdictions and increase our costs and/or impact our advertising solutions, or other offerings. We and our clients may face a risk of enforcement actions by data protection authorities relating to personal data transfers. Any such enforcement actions could result in substantial costs and diversion of resources, distract management and technical personnel, and adversely affect our business, financial condition, and results of operations. Similar to the GDPR, in September 2020, Brazil enacted the Brazilian General Data Protection Law. China has enacted a new data privacy law known as PIPL, effective November 1, 2021, which adopts a stringent data transfer regime requiring, among other things, data subject consent for certain data transfers. Any of these developments may have an adverse effect on our business. Moreover, there are increasing restrictions in the United States on certain personal sensitive data transfers to certain foreign countries. The Department of Justice recently finalized a final rule implementing Executive Order 14117, effective April 8, 2025, which prohibits data transfer of personal identifiers, precise geolocation data, biometric identifiers, health data, and financial data over a certain bulk threshold to identified countries of concern (i.e., China, Hong Kong, Macau, Cuba, Iran, North Korea, Russia, and Venezuela). The rule also restricts data brokerage agreements, investment agreements, employment agreements, and vendor agreements involving such data and countries of concern. Violations of the rule may be punishable by criminal and/or civil sanctions and may result in exclusion from participation in federal and state programs. These data transfer restrictions may create operational challenges and legal risks for our business, particularly with regard to China, where we have operations. Another example of increasingly stringent privacy legislation is California's passage of the CCPA, which went into effect on January 1, 2020, and created new privacy rights for residents, including a private right of action for data breaches. The CPRA was approved by California voters in November 2020, went into effect on January 1,2023, and significantly modified the CCPA, resulting in further uncertainty. Additionally, other states in the U.S. have proposed or enacted laws addressing privacy and cybersecurity, many of which are comprehensive statutes containing obligations similar to the CCPA and CPRA, that have taken effect or will take effect in coming years. Certain of these laws provide for private rights of action, which may increase the likelihood of class action litigation, that could also adversely affect our reputation, business, financial condition, and results of operations. The U.S. federal government is also contemplating federal privacy legislation. Our efforts to comply with the CCPA, as modified by the CPRA, and other existing and future legal requirements have required us and will continue to require us to devote significant operational resources and incur significant costs and expenses. Our compliance and oversight efforts regarding privacy, data protection, and security will require significant time and attention from our management and board of directors. Further, children's privacy continues to be a focus of enforcement activities and subjects our business to potential liability that could adversely affect our business, financial condition, or operating results. For example, enforcement of COPPA, which requires companies to obtain parental consent before collecting personal information from children known to be under the age of thirteen or from child-directed websites or online services, has increased in recent years, and the Federal Trade Commission has finalized modifications to its rules implementing COPPA relating to the use of children's data for targeted advertising that became effective June 23, 2025, and for which compliance with most provisions is required as of April 22, 2026. These modifications may subject us to additional liability and require us to dedicate additional compliance resources and modify certain policies and practices. In addition, the GDPR prohibits certain processing of the personal information of children under the age of thirteen to sixteen (depending on jurisdiction) without parental consent where consent is used as the lawful basis for processing that personal information. The CCPA, as amended and supplemented by the CPRA, requires companies to obtain the consent of children in California under the age of sixteen (or parental consent for children under the age of thirteen) before selling their personal information. Several other states have enacted laws that would substantially impact activities that involve showing targeted advertisements to children. There also may be various laws, regulations, industry standards, codes of conduct, or other actual or asserted obligations relating to children's privacy to which we may be, or be asserted to be, subject, or that may otherwise impact our business and operations. For example, the United Kingdom's Age Appropriate Design Code ("AADC") is one such regulatory framework that has been adopted in the United Kingdom that focuses on online safety and protection of children's privacy online, and similar frameworks are being considered in other jurisdictions. Although we take reasonable efforts to comply with applicable laws and regulations and certain other standards, we may in the future face claims under COPPA, the GDPR, the CCPA, the CPRA, or other laws, regulations, or other actual or asserted obligations relating to children's privacy. Several states have enacted or proposed laws imposing new privacy obligations related to health-related personal information beyond traditional medical privacy laws like the Health Insurance Portability and Accountability Act. Washington's My Health, My Data Act, for example, broadly defines consumer health data and includes a private right of action, raising potential litigation risks for the advertising industry. A similar law in Virginia also allows private enforcement. These developments may increase compliance burdens, legal risks, and operational costs for us, our clients, and others in the advertising technology ecosystem. We endeavor to comply with applicable industry standards and are subject to the terms of our privacy-related obligations and commitments to users and third parties. We strive to comply with all applicable laws, policies, legal obligations, and certain industry codes of conduct relating to privacy and data protection, to the extent reasonably attainable. However, it is possible that these or other actual or asserted obligations relating to privacy, data protection, or information security may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. It is also possible that laws, policies, legal obligations, or industry codes of conduct may be implemented, modified, or interpreted in manners that could prevent us from offering services to categories of users, such as residents of a certain jurisdiction or may make it costlier or more difficult for us to do so. Any failure or perceived failure by us to comply with our terms of service or privacy policy, or with applicable laws, regulations, or legal, contractual, or other actual or asserted obligations to users or third parties, concerning privacy, information security, data protection, consumer protection, or protection of minors; or our privacy-related legal obligations, or any compromise of security that results, or is perceived to result, in the unauthorized release or transfer of personal information or other user data, may result in governmental enforcement actions or other proceedings, claims, demands, and litigation by private parties, or public statements against us by consumer advocacy groups or others and could cause our users to lose trust in us, which could adversely affect our business, financial condition, or results of operations. Additionally, if third parties we work with, such as users, developers, vendors, service providers, or other business partners violate applicable laws or our policies, such violations may also put our users' information at risk and could in turn adversely affect our reputation, business, financial condition, and results of operations.

Technology changes rapidly in the advertising ecosystem. Our future success depends in part on our ability to adapt to trends and to innovate. To attract new clients and users and increase revenue from our current clients and users, we may develop new products or enter into new markets, such as e-commerce or social, and we will need to enhance and improve our advertising solutions. Our ability to improve the effectiveness and predictability of our advertising recommendations through improvements to our AI-powered advertising recommendation engine AXON is critical to our continuing success and future growth. Enhancements of our existing technology and offerings, and new offerings, may not be introduced in a timely or cost-effective manner and may contain errors or defects, both of which could adversely affect our business, financial condition, and results of operations. Our business also currently depends in part on the growth and evolution of the internet, especially mobile internet-enabled devices. The number of people using mobile internet-enabled devices has increased rapidly over time, and we expect that this trend will continue. However, the markets in which we operate may not grow in the way we anticipate. We must continually anticipate and adapt to emerging technologies to stay competitive, including the development of AI and its impacts on the advertising ecosystem. As the technological infrastructure for internet access improves and evolves, consumers will be presented with more opportunities to access apps and play games on a variety of devices and platforms and to experience other leisure activities that may compete with mobile apps. Forecasting the financial impact of these emerging technologies and business models is inherently uncertain and volatile. If we decide to support a new technology or business model in the future, it may require partnering with a new platform, technology, or business partner, which may be on terms that are less favorable to us than those for traditional technologies or business models. To invest in a new technology, enter a new market or expand our offerings, we must invest financial resources and management attention. We may invest significant resources in a new offering, entering a new market or in a strategic acquisition or partnership, which could prove unsuccessful or prevent us from directing these resources towards other opportunities. We may never recover the often-substantial up-front costs of developing and marketing emerging technologies or business models, or recover the opportunity cost of diverting management and financial resources. Further, our competitors may adopt an emerging technology or business model more quickly or effectively than we do, creating products that are technologically superior to ours or attract more users than ours. If, on the other hand, we do not continue to enhance our advertising solutions, or do not appropriately allocate our resources amongst opportunities, or we otherwise elect not to pursue new business models that achieve significant commercial success, we may face adverse consequences. It may take significant time and expenditures to shift product development resources to new technologies, and it may be more difficult to compete against existing products incorporating such technologies. If new technologies render mobile devices obsolete or we are unable to successfully adapt to and appropriately allocate our resources amongst current and new technologies, our business, financial condition, and results of operations could be adversely affected.

The advertising and mobile app ecosystems are prone to cyberattacks by third parties seeking unauthorized access to our data or the data of our clients or users or to disrupt our ability to provide service. Our advertising solutions, and other offerings involve the collection, storage, transmission, and other processing of a large amount of data, including personal information, and we and our third-party service providers otherwise store and process information, including our confidential and proprietary business information, and personal information and other information relating to our employees, users, and clients or other third parties. We also store and implement measures designed to secure the source code for our advertising solutions as they are created. Any failure to prevent or mitigate security breaches or incidents impacting our advertising solutions, or our systems or other systems used in our business, or improper access to or disclosure of our data, including source code, or user data, including personal information or content from users, or information from clients or other third parties, that is stored or otherwise processed in our business could result in the unauthorized loss, modification, disclosure, destruction, or other unauthorized processing of such data, or unavailability of data or of our advertising solutions, or other offerings. Any such event, or the perception it has occurred, could adversely affect our business and reputation, damage our operations, result in claims, litigation, or regulatory investigations or enforcement actions, fines, penalties, or other liability or obligations, and diminish our competitive position. In particular, a breach or incident, whether physical, electronic, or otherwise, impacting systems on which source code or other sensitive data are stored could lead to loss, disruption, unavailability, or piracy of, or damage to, our offerings, lost or reduced ability to protect our intellectual property, and diminished competitive position. Malware (including ransomware), viruses, social engineering (predominantly spear phishing attacks or smishing), and general hacking have become more prevalent in the advertising and mobile app ecosystems. Some of these have occurred on our systems and otherwise in our business in the past, and we expect they will continue to occur in the future. We regularly encounter attempts to create false or undesirable user accounts or take other actions for purposes such as spamming or other objectionable ends. Any actual or attempted breaches, incidents, or attacks may cause disruptions or interruptions to our advertising solutions, or other offerings, degrade the user experience, impair, disrupt, or interrupt our systems and networks and other systems and networks used in our business, or adversely affect our reputation, business, financial condition, and results of operations. Our efforts to protect our advertising solutions, and other offerings, our systems and other systems used in our business, and our data, user data, and information from clients, partners, and other third parties, and to disable or otherwise respond to undesirable activities on our offerings, may also be unsuccessful due to software bugs or other technical defects, errors, or malfunctions; employee, contractor, vendor, or partner error or malfeasance, including defects or vulnerabilities in information technology systems or offerings; cyberattacks, attacks designed to disrupt systems or facilities; breaches of physical security of our facilities or technical infrastructure; or other threats that evolve. Additionally, any such breach, incident, attack, malfunction, defect, or vulnerability, or the perception that any of these has occurred, may cause clients or users to lose confidence and trust in our advertising solutions or other offerings and otherwise harm our reputation and market position. In addition, some developers or other business partners, such as those that help us measure the effectiveness of advertisements, may receive or store information provided by us or by our clients or users through mobile or web apps or other means. These third parties or others may misappropriate or misuse this information. If these third parties fail to adopt or adhere to adequate data security practices, or experience a breach of, or other security incident impacting, their networks or systems, our data or our users' data may be lost, destroyed, or accessed, modified, disclosed, or otherwise processed in unauthorized manners. In such an event, or if such an event is perceived to have occurred, we may suffer damage to our reputation, may have increased costs arising from the restoration or implementation of additional security measures and other costs relating to the incident, and we may face claims, demands, investigations, and other proceedings by private parties or governmental actors, and fines, penalties, and other liability or obligations, any of which could adversely affect our business, financial condition, and results of operations. Any theft or unauthorized use or publication of our trade secrets and other confidential business information as a result of such an event could also adversely affect our business, competitive position, and results of operations. Cyberattacks continue to evolve in sophistication and volume, and may be difficult to detect for long periods. Although we have developed systems and processes that are designed to protect our data, user data, and information from our partners; to prevent data loss, disable undesirable accounts and activities on our advertising solutions, or other offerings; and to prevent and detect security breaches, we cannot assure you that such measures will provide comprehensive security, that we have been or will be able to identify breaches or other incidents or to react to them in a timely manner or that our remediation efforts will be successful. We experience cyberattacks and other security incidents of varying degrees from time to time, and we may incur significant costs in investigating, protecting against, litigating, or remediating such incidents. We may face increased risks of cyberattacks and other security incidents as a result of increases in remote work. Our use of third-party systems for remote workforce operations introduces security risks and increased cyberattacks, such as phishing attacks by threat actors as a method for targeting personnel. Further, in connection with geopolitical events and conflicts, such as those in Ukraine and the Middle East, there may be a heightened risk of potential cyberattacks by state actors or others. Additionally, our advertising solutions and other offerings operate in conjunction with, and we are in some cases dependent upon, third-party products, services, and components. Our ability to monitor our third-party service providers' data security is limited, and in any event, attackers may be able to circumvent our third-party service providers' data security measures. There have been and may continue to be significant attacks on certain third-party providers, and we cannot guarantee that our or our third-party providers' systems and networks have not been breached or compromised or do not contain defects or bugs that could result in a disruption, breach, or other incident impacting our systems and networks or those of third parties that support us and our advertising solutions. Security vulnerabilities, malicious code, errors, or other bugs or defects in these third-party products, services, and components could cause us to face increased costs, claims, liability, and additional or new obligations, reduced revenue, and harm to our reputation or competitive position. We and our service providers may be unable to anticipate these techniques, react, remediate or otherwise address any security vulnerability, breach or other security incident in a timely manner, or implement adequate preventative measures. Further, we utilize AI technologies in our advertising solutions and may expand such use in the future. Our use of AI technologies, and the use of AI technologies in third-party products and services, may create additional cybersecurity risks or increase cybersecurity risks, including risks of security breaches and incidents, and related liability and harm to our reputation. AI technologies may also be used in connection with certain cybersecurity attacks, resulting in heightened risks of security breaches and incidents. In addition to our efforts to mitigate cybersecurity risks, we are working to combat misuse of our services and user data by third parties. We may not discover all such incidents or other activities, in connection with our efforts to combat misuse or otherwise, and we may be notified of such incidents or activity by users, clients, the media, or other third parties. Such incidents and activities have in the past, and may in the future, include the processing of user data or use of our systems in manners inconsistent with our terms, contracts or policies, the existence of false or undesirable user accounts, improper advertising practices, spamming, or unsecured datasets, and may also include activities that threaten people's safety, or scraping, or data harvesting. We may also be unsuccessful in our efforts to enforce our policies or otherwise remediate or respond to any such incidents effectively or in a timely manner. Any of the foregoing developments, or any reports of them occurring or the perception that any of them has occurred, could adversely affect user trust and engagement, harm our brand and reputation, require us to change our business practices, result in claims, demands, investigations, and other proceedings by private parties or governmental actors, and fines, penalties, and other liability or obligations, and adversely affect our business, financial condition, and results of operations. We are subject to a variety of laws and regulations in the United States and abroad relating to cybersecurity and data protection, some of which provide a private right of action. Many jurisdictions have enacted breach notification obligations, and our agreements with certain customers or partners may require us to notify them or fulfill other obligations in the event of a security breach or incident. Affected users or government authorities could initiate legal or regulatory actions against us in connection with any actual or perceived security breaches or incidents or improper access to or disclosure or other processing of data, which has occurred in the past or may occur in the future, and which could cause us to incur significant expense and liability, distract management and technical personnel, and result in orders or consent decrees forcing us to modify our business practices and to pay fines or penalties. Such actual or perceived breaches or other incidents or our efforts to remediate these events may also result in a decline in our active user base or engagement levels. Any of these events could adversely affect our reputation, business, financial condition, or results of operations. Our insurance coverage may not extend to all types of privacy or security breaches or other incidents, and it may be insufficient to cover all costs and expenses associated with such events. Further, such insurance may not continue to be available to us in the future on economically reasonable terms, or at all, and insurers may deny us coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition of large deductible or co-insurance requirements, could have a material adverse effect on our business, including our reputation, financial condition, or results of operations.

We face significant competition in the advertising ecosystem. We offer a suite of solutions for advertisers to get their content discovered and downloaded by the right users, optimize return on marketing spend, and maximize the monetization of their engagement. We collect revenue from clients for fees paid by advertisers, including developers, that use our advertising solutions. Advertisers often engage with several advertising platforms and networks to purchase advertisements and developers often engage with multiple tools to market and monetize their apps. Accordingly, we face significant competition from traditional, online, and mobile businesses that provide ad networks and platforms and other services for advertisers to reach relevant audiences. We also face competition from providers of developer tools that enable developers to reach their audiences or manage or optimize their advertising campaigns. These companies vary in size and include Facebook, Google, Amazon, and Unity Software as well as various private companies, several of which are also our partners and clients. Clients who are also competitors may decide to invest in their own offerings rather than continue to use our advertising solutions. We also face competition for advertising spending and for the discretionary spending, leisure time, and attention of our users from game platforms such as personal computer and console games, and other leisure time activities, such as television, movies, music, sports, and the internet. During periods of macroeconomic uncertainty, levels of advertising and discretionary spending have historically decreased and are likely to decrease and therefore this competition may intensify, which has at times harmed and may in the future harm our revenue. To the extent we explore entering into new markets or new business opportunities in the advertising ecosystem or otherwise, we may also compete with established businesses with more experience in such areas. Some of our current and potential competitors may be domiciled in different countries and subject to political, legal, and regulatory regimes that enable them to compete more effectively than us, particularly outside of the United States. Some of our current and potential competitors may have greater resources, more diversified revenue streams, better technological or data analytics capabilities, or stronger brands or competitive positions in certain product segments, geographic regions, or user demographics than we do. If clients or users prefer our competitors' products or services over our own, or if our competitors are better able to adapt to changes in the preferences of advertisers or users, regulations, or other developments, our business, financial condition, and results of operations could be adversely affected.

We believe that investing in and maintaining the AppLovin brand is critical to maintaining and creating favorable relationships with, and our ability to attract, new clients, and key personnel. Increasing awareness of the AppLovin brand will depend largely upon our marketing efforts and our ability to successfully differentiate our advertising solutions from the offerings of our competitors. In addition, successfully globalizing and extending our brand requires significant investment and extensive management time. If we fail to maintain and increase brand awareness and recognition of our advertising solutions, our business, financial condition, and results of operations could be adversely affected.

Our future success depends in significant part on the continued service of our key management and engineering personnel, including our co-founder, CEO, and Chairperson, Adam Foroughi. Our ability to compete and grow depends in part on the efforts and talents of these employees and executives, who are important to our vision, strategic direction, culture, products, and technology. We do not have employment agreements, other than offer letters, with Mr. Foroughi or other members of our senior management team, and we do not maintain key-man insurance for members of our senior management team. The loss of Mr. Foroughi or any other member of our senior management team could cause disruption and adversely affect our business, financial condition, or results of operations. We believe strongly in operating a lean organizational structure, leveraging technology wherever possible, as it allows us to adapt our business as needed and affords increased opportunity to our employees. While this approach enhances efficiency and cost control, it may also expose us to certain risks. While we believe our lean culture allows us to move faster than other companies our size, a lean workforce could limit our ability to scale operations quickly in response to increased demand, develop new products or services in a timely manner, or effectively manage multiple initiatives simultaneously. Additionally, key employees often hold multiple responsibilities, making us more vulnerable to disruptions caused by turnover or unexpected absences. If we are unable to attract, retain, and efficiently allocate personnel, our operational capabilities, growth potential, and competitive position could be adversely affected. Furthermore, as we expand, we may need to hire additional employees and enhance our infrastructure to support growth. Failure to do so in a timely or effective manner could strain our existing workforce and negatively impact our financial performance and strategic objectives. In addition, our ability to execute our strategy depends in part on our continued ability to identify, hire, develop, motivate, and retain highly skilled employees, particularly in the competitive fields of AI development, machine learning, product management, engineering, and data science. We believe that our corporate culture has been an important factor in our ability to hire and retain key employees, and if we are unable to maintain our corporate culture as we grow, we may be unable to foster the innovation, creativity, and teamwork we believe we need to support our growth. While we believe we compete favorably, competition for highly skilled employees is intense, particularly in Silicon Valley, where our headquarters is located. Interviewing, hiring, and integrating new employees has been and will continue to be challenging as we continue to navigate the global working environment. If we are unable to identify, hire, and retain highly skilled employees, our business, financial condition, and results of operations could be adversely affected.

General macroeconomic conditions, such as inflation, high interest rates, or a recession or economic slowdown in the United States or internationally, including those resulting from tariffs, trade wars, uncertainty in the global banking and financial services markets, political uncertainty and international conflicts around the world, such as between Russia and Ukraine and in the Middle East, as well as friction between the United States and China, could create uncertainty and adversely affect discretionary consumer spending habits and preferences as well as advertising spending. In addition, changes in macroeconomic conditions, including those due to recent actual and proposed tariff increases imposed by the United States on various trading partners, could change consumer behavior and adversely affect advertising spending and costs related to our operations. Specifically, the U.S. has imposed significant new and escalated tariffs on products from China since February 2025, significant new tariffs on many products of Canada and Mexico since March 2025, and a global tariff on most products from almost all other U.S. trading partners since April 2025; these policies have been fluid and the full economic impact of these policies is currently uncertain. Our revenue is driven in part by discretionary consumer spending habits and preferences, and by advertising spending patterns. Historically, consumer purchasing and advertising spending have each declined during economic downturns and periods of uncertainty regarding future economic prospects or when disposable income or consumer lending is lower. In certain periods in 2022, we experienced the impacts of the macroeconomic deterioration as advertisers more closely managed budgets and reduced overall spend, which resulted in slowed growth for our advertising solutions. Uncertain economic conditions may impact advertiser spending in future periods and may also adversely affect our clients, which in turn may harm our business, financial condition, and results of operations. In addition, the economic conditions affecting the financial markets, and uncertainty in global economic conditions may result in a number of adverse effects including a low level of liquidity in domestic and global markets, volatility in credit, equity, and currencies and instability in the stock market. There could be a number of other follow-on effects from these economic developments on our business, including customer insolvencies, decreased demand for our marketing solutions; decreased customer ability to pay their accounts, and increased collections risk and defaults. We are particularly susceptible to market conditions and risks associated with the advertising ecosystem, including changes in user demographics, the availability and popularity of other forms of entertainment, and critical reviews and public tastes and preferences, which may change rapidly and cannot necessarily be predicted. Our business is subject to economic, market, public health, and geopolitical conditions, as well as natural disasters beyond our control. For example, we have employees located in Israel and as a result of the international conflict in the Middle East, we have incurred and are likely to continue to incur costs to support our employees and address related challenges. In addition, our management has spent time and attention on these and related events and will continue to monitor and assess the ongoing disruptions to our team members, our management, and our operations, each of which could potentially harm our business. We may also experience interruptions or delays in the services they provide to us as a result of such geopolitical volatilities. Further, we have operations in China and the continuing tension between the U.S. and China may impact our business and results of operations in the future. The U.S. government has restricted the ability to send certain products and technology to China without an export license. In many cases, these licenses are subject to a policy of denial and will not be issued. While our current products are not restricted by these controls, such controls or future restrictions could impact our business in the future. Additionally, the U.S. government also continues to add additional entities in China and other countries to restricted party lists impacting the ability of U.S. companies to engage with these entities. In addition, the Chinese government has retaliated, and may continue to retaliate, to recent changes in U.S. tariffs and export controls in ways that could indirectly impact our business. While not currently material to the operation of our business, management and our board of directors have discussed and assessed, and will continue to discuss and assess, any risks related to international conflicts around the world, such as in Ukraine and the Middle East, as well as tension between the United States and China, including but not limited to, risks related to cybersecurity, sanctions, regulatory changes, and personnel based in affected regions to ensure we are prepared to react to new developments or further sanctions as they arise. If we are unable to promptly or properly react to new developments in these and other international regions, our business, financial condition, and results of operations could be adversely affected. Our principal offices are located in Palo Alto, an area known for earthquakes and susceptible to fires, and are thus vulnerable to damage. All of our facilities are also vulnerable to damage from natural or manmade disasters, including power loss, earthquakes, fires, explosions, floods, communications failures, terrorist attacks, contagious disease outbreak (such as the COVID-19 pandemic), and similar events. If any disaster were to occur, our ability to operate our business at our facilities could be impaired and we could incur significant losses, recovery from which may require substantial time and expense.

We expect to continue to expand our international operations in the future by opening new offices, acquiring companies that may have international operations, and providing our offerings in additional countries and languages. For example, our resources are located throughout the world, including in areas with less certain legal and regulatory regimes or more potential risks. Expanding our international operations may subject us to risks associated with: - recruiting and retaining talented and capable management and employees in foreign countries;- challenges caused by distance, language, and cultural differences;- increased risk of loss, data breaches or cybersecurity attacks from our global operations;- developing and customizing advertising solutions that appeal to the tastes and preferences of users in international markets;- the inability to offer certain advertising solutions in certain foreign countries;- competitors with intellectual property rights and significant market share in those markets and with a better understanding of user preferences;- utilizing, protecting, defending, and enforcing our intellectual property rights;- the inability to extend proprietary rights in our brand, content, or technology into new jurisdictions;- compliance with applicable foreign laws and regulations, including anti-bribery laws, privacy and data protection laws, AI laws, and laws relating to content and consumer protection;- credit risk and higher levels of payment fraud;- currency exchange rate fluctuations;- protectionist laws and business practices that favor local businesses in certain countries;- double taxation of our international earnings and potentially adverse tax consequences due to changes in the tax laws in the United States or the foreign jurisdictions in which we operate;- political, economic, macro-economic climate and social instability, including impacts related to labor, supply chain disruptions, inflation, and as a result of war, terrorism, or armed conflict, including international conflicts around the world, such as between Russia and Ukraine and in the Middle East, as well as, increasing friction between the United States and China and the impacts on their respective regions and the regional and global economy;- public health crises, such as the COVID-19 pandemic, which can result in varying impacts to our employees, clients, users, advertisers, app developers, and business partners internationally;- higher costs associated with doing business internationally, including costs related to local advisors;- export or import regulations; and - trade and tariff restrictions. Our ability to successfully gain market acceptance in any particular international market is uncertain and, in the past, we have experienced difficulties and have not been successful in all the countries we have entered. If we are unable to continue to expand internationally or manage the complexity of our global operations successfully, our business, financial condition, and results of operations could be adversely affected.