RISK FACTORS
Investing in our securities described herein involves risk. You should carefully consider the risk factors and uncertainties described under
the heading Item 3. Key InformationD. Risk Factors in our most recently filed annual report on Form 20-F, which is incorporated in this prospectus by reference, and any updates in any of our
subsequent filings under the Exchange Act and, if applicable, in any accompanying prospectus supplement, as well as the information relating to us identified in Special Note Regarding Forward Looking Statements, before investing in any
of the securities that may be offered or sold pursuant to this prospectus. These risks and uncertainties could materially affect our business, results of operations or financial condition and cause the value of our securities to decline. Although we
discuss key risks in our discussion of risk factors, new risks may emerge in the future, which may prove to be significant. Our subsequent filings with the SEC may contain amended and updated discussions of significant risks. We cannot predict
future risks or estimate the extent to which they may affect our financial performance.
Risks Related to Our Business
Failure to protect the integrity and security of company staff, supplier and customer information and comply with cybersecurity, data privacy, data
protection or any other laws and regulations related to data may materially and adversely affect our business, financial condition and results of operations, and/or result in damage to reputation and/or subject us to fines, penalties, lawsuits,
restrictions on our use or transfer of data and other risks.
Our businesses collect, use and transmit large volumes of data,
including credit card numbers and personal data in various information systems relating to our customers, suppliers and staff, and such personal data may be collected and/or used in, and transmitted to or from, multiple jurisdictions. We may be
subject to a variety of cybersecurity, data privacy, data protection and other laws and regulations related to data, including those relating to the collection, use, sharing, retention, security, disclosure, and transfer of confidential and private
information, such as personal information and other data. These laws and regulations apply not only to third-party transactions, but also to transfers of information within our organization. These laws and regulations may restrict our business
activities and increase our compliance costs and efforts. Any breach or non-compliance may subject us to proceedings, damage our reputation, or result in penalties and other significant legal liabilities, and thus may materially and adversely affect
our business, financial condition, and results of operations.
Our customers, suppliers and staff have a high expectation that we will
adequately protect their personal information. Such collection, use and/or transmission of personal data are governed by privacy laws and regulations and such laws and regulations change often, vary significantly by jurisdiction and often are newly
enacted. For example, the European Union (EU)s General Data Protection Regulation, or the GDPR, which became effective in May 2018, requires companies to meet new and more stringent requirements regarding the handling of personal data. The
GDPR may also capture data processing by non-EU firms with no EU establishment if, for example, they conduct direct marketing that specifically targets individuals in the EU. As GDPR is a newly enacted law, there is limited precedence on the
interpretation and application of GDPR.
In some jurisdictions, including the PRC where we do not currently have operations, the
cybersecurity, data privacy, data protection, or other data-related laws and regulations are relatively new and evolving, and their interpretation and application may be uncertain. For example, the Cybersecurity Administration of China, or CAC,
issued the New Measures for Cybersecurity Review, or the New Measures, on January 4, 2022, which amended the Measures for Cybersecurity Review (Draft Revision for Comments) released on July 10, 2021 and came into effect on February 15, 2022. The New
Measures extend the scope of cybersecurity review to network platform operators engaging in data processing activities that affect or may affect national security, including overseas listings. Specifically, the New Measures provide that if a network
platform operator who possesses personal information of more than one million users plans to be listed in foreign countries, it must apply for cybersecurity review and, in any event, the CAC has the authority to initiate a cybersecurity review if it
considers
11