Grindr (GRND) Risk Analysis

The Committee on Foreign Investment in the United States ("CFIUS") is an interagency body of the U.S. government authorized to review certain foreign investment transactions in U.S. businesses ("Covered Transactions") in order to determine the effect of such transactions on the national security of the United States. If CFIUS determines that a Covered Transaction presents national security risks to the United States and that other provisions of law do not provide adequate authority to address the risks, then CFIUS may enter into an agreement with, or impose conditions on, parties to mitigate such risks or may refer the case to the President who may suspend, prohibit, or unwind the transaction. As widely reported in media coverage, we have previously been the subject of CFIUS scrutiny in connection with a prior Covered Transaction. Certain past or future investments in our business by foreign investors may be Covered Transactions subject to CFIUS jurisdiction for review depending on the nationality of the foreign investor, the structure of the transaction, and the governance and voting interests acquired by the foreign person. Submission of a notification to CFIUS with respect to a Covered Transaction related to our business could result in significant transaction delays, as CFIUS' review of a Covered Transaction can last between thirty days and several months, if not longer, depending on the form of the filing, the complexity of the transaction, the nationality and identity of the parties, and the underlying national security risks associated with the Covered Transaction. If CFIUS identifies national security concerns arising from a prior investment into the Company, CFIUS has the authority to initiate a post-closing inquiry and can demand information from the parties or require a filing at any time. In the event CFIUS reviews a Covered Transaction relating to our business, there can be no assurances that the relevant foreign investor will be able to maintain, or proceed with, participation in the Covered Transaction on terms acceptable to such foreign investor. If CFIUS identifies national security concerns with an existing foreign investor, CFIUS could exercise its authority to force a divestiture or unwind a prior transaction, which could have a material adverse effect on our share price. In addition, potential restrictions on the ability of foreign persons to invest in us could affect the price that an investor may be willing to pay for shares of our common stock. In some circumstances, moreover, we may choose not to pursue certain investments or other transactions, which are otherwise attractive, solely or in part based on an evaluation of the associated CFIUS risks. The parties to the Merger Agreement sought and obtained CFIUS approval for the Business Combination. On March 6, 2023, CFIUS concluded its review of the Business Combination and determined that there were no unresolved national security concerns. As part of the resolution of the CFIUS review, we entered into a National Security Agreement ("NSA") with certain CFIUS monitoring agencies ("CMAs") to address national security risks identified by CFIUS. Pursuant to the NSA, we have agreed to protect our data, including by implementing a data security plan, appointing a security officer, and periodically meeting with and reporting to the CMAs, among other terms. Our operating results may be negatively affected by increased compliance costs associated with the NSA measures and if we fail to comply with our obligations under the NSA, we may be subject to potential penalties.

In recent years, there has been an increase in attention to and regulation of data protection and data privacy across the globe, including in the United States, the European Union and the United Kingdom. For example, we are subject to the GDPR; the UK GDPR (i.e., the GDPR as it continues to form part of the law of the United Kingdom by virtue of section 3 of the EU (Withdrawal) Act 2018 and subsequently amended); the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"); the Brazilian General Data Protection Law ("LGPD"); and China's Personal Information Protection Law of the P.R.C. ("PIPL"). These laws impose strict requirements for processing personal data and impose significant fines for violations. For example, LGPD penalties may include fines of up to 2% of the organization's revenue in Brazil in the previous year or 50 million reais (approximately $9.3 million U.S. dollars); PIPL affords fines of up to RMB50 million or 5% of our annual turnover in the preceding year and revocation of our license to do business in China; and, under the GDPR and the UK GDPR, we may be subject to fines of up to €20 million/£17,500,000 or up to 4% of the total worldwide annual group turnover of the preceding financial year (whichever is higher), as well as face claims from individuals based on the GDPR and UK GDPR's private right of action. Other comprehensive data privacy or data protection laws or regulations have been passed or are under consideration in other jurisdictions, including India and Japan, as well as various U.S. states. Laws such as these give rise to an increasingly complex set of compliance obligations on us, as well as on many of the third parties with whom we work. These obligations include, without limitation, imposing restrictions on our ability to gather personal data, providing individuals with the ability to opt out of certain personal data processing, imposing obligations on our ability to sell or share data with others, and potentially subject us to fines, lawsuits, and regulatory scrutiny, any of which may materially adversely affect our business, financial condition, and results of operations. Under our current business model, we are not and do not expect to become subject to the privacy and security provisions under the federal Health Insurance Portability and accountability Act of 1996 and its implementing regulations (collectively, "HIPAA") and its implementing regulations as a business associate or covered entity, given we do not engage in standard transactions or otherwise process protected health information, as those terms are defined under HIPAA. If we become subject to HIPAA, however, we may need to implement additional data privacy and security safeguards and infrastructure, which may take significant time and resources. The GDPR and the UK GDPR includes obligations and restrictions concerning the consent and rights of individuals to whom personal data relates, the transfer of personal data out of the EEA and the United Kingdom, security breach notifications, and the security and confidentiality of personal data more generally, including more stringent requirements for personal data classified as "sensitive." In addition, individuals have a right to compensation under the GDPR and the UK GDPR for financial or non-financial losses. To the extent we are determined or alleged to have been or be out of compliance with the GDPR, UK GDPR or e-Privacy legislation, such determination or allegation could materially adversely affect our business, financial condition, and results of operations. Because we do not have a main establishment in the European Union, we are subject to inquiries from any of the EEA and UK data protection regulators. Over the last few years, we have received and responded to inquiries from the Norwegian Data Protection Authority ("NDPA"), the Spanish Data Protection Authority, the Slovenian Data Protection Authority, and the Austrian Data Protection Authority, among other non-EU data protection authorities, including the ICO. For example, in January 2021, the NDPA notified us of its preliminary decision that we had disclosed personal data to third parties without a legal basis in violation of Article 6(1) GDPR and that we disclosed special categories of personal data to third parties without a valid exemption from the prohibition in Article 9(1) GDPR. In December 2021, NDPA issued an administrative fine against Grindr in the amount of NOK 65,000,000 (approximately $5,716,165 using the exchange rate as of December 14, 2024). We appealed but the Norwegian Privacy Appeals Board (the "NPAB") upheld NDPA's original decision and fine of NOK 65,000,000. We then filed suit in the Oslo District Court to overturn the NPAB's decision. On July 1, 2024, the Oslo District Court upheld the prior decision and ordered Grindr to pay the government attorneys fees. We filed an appeal to the Norwegian Appeals Court on September 13, 2024. The Norway proceeding has caused us to incur significant expense, we have been the subject of negative publicity, and the existence of the proceeding has, and may continue to, negatively impact our efforts to retain existing users and add new users and deteriorated our relationships with advertisers and other third parties. The ultimate outcome of this proceeding may materially adversely affect our business, financial condition, and result of operations. Additionally, we may face class action or similar group litigation in certain European jurisdictions, where legal frameworks and collective redress mechanisms allow large groups of plaintiffs to bring claims against companies for alleged violations of laws or regulations. Although class action lawsuits are less common in Europe compared to the United States, some EU countries have seen a rise in collective actions, particularly in areas like consumer protection, data privacy, and competition law. Notably, the transposition of Directive (EU) 2020/1828 across EU Member States has established or enhanced the framework for collective redress, enabling qualified entities like noyb (the European Center for Digital Rights) to represent groups of plaintiffs in data protection-related claims throughout the European Union. As a result, we could face significant legal and financial exposure, including reputational harm and substantial legal defense costs, even if we ultimately prevail in such actions. Additionally, as the legal and regulatory landscape for collective claims in Europe continues to evolve, our risk of exposure to such litigation may increase in the future. For example, in April 2024, we received pre-action notice that multi-party claimants had issued proceedings against us alleging misuse of users' personal data and self-reported health information before April 2018 and between May 2018 and April 2020. Claims are asserted under the Data Protection Act 1998 for the first period, under the UK GDPR and Data Protection Act 2018 ("DPA 2018") for the second period, and for the tort of misuse of private information across both periods. The claimants' legal representatives have asserted that claimants may be entitled to damages of between £1,000 or £10,000, or more. Grindr has denied liability and the alleged quantum in pre-action correspondence. In November 2024, the claimants' legal representatives stated that 4,271 claimants were party to the claim and that they were actively engaging with 13,199 other users. As of March 2025, proceedings have not yet been served on Grindr. In addition, the United Kingdom's exit from the European Union ("Brexit") and ongoing developments in the United Kingdom could result in the application of new data privacy and protection laws and standards to our activities in the United Kingdom and our handling of personal data of users located in the United Kingdom. The relationship between the United Kingdom and the European Union in relation to certain aspects of data protection law remains unclear, and it is unclear how UK data protection laws and regulations will develop in the medium to longer term, and how data transfers to the United Kingdom from the EEA will be regulated in the long term. For example, the UK's Data Protection and Digital Information Bill, containing proposals for the UK GDPR to diverge from the GDPR, was reintroduced to Parliament in March 2023. Further, though the European Commission has adopted an adequacy decision in favor of the United Kingdom, enabling data transfers from the EEA to the United Kingdom, the decision will automatically expire in June 2025 unless the European Commission re-assesses and renews/ extends that decision, and remains under review by the Commission during this period. As a consequence of Brexit, we are exposed to two parallel regimes (the GDPR and the UK GDPR), each of which potentially authorizes similar, but separate, fines and other potentially divergent enforcement actions for the same alleged violations. Moreover, we may become subject to stringent data localization or transfer requirements, particularly for any data transfer from Europe and other jurisdictions to the United States or other countries, and we may be required to review and amend the legal mechanisms by which we make available or transfer personal data with third parties. As supervisory authorities issue further guidance on data export mechanisms, we could suffer additional costs, complaints and/or regulatory investigations or fines if our compliance efforts are not deemed sufficient. In addition, if we are unable to transfer personal data between and among countries, it could affect the manner in which we provide our products and services or the location or segregation of our systems and operations, and adversely affect our financial results. In the event any court blocks direct collection of personal data or personal data transfers to or from a particular jurisdiction, this could give rise to operational interruption in the performance of services for customers, greater costs to implement permissible alternative data transfer mechanisms, regulatory liabilities, or reputational harm and negative publicity. Failure to comply with the evolving interpretation of data privacy and data protection laws could subject us to liability, and to the extent that we need to alter our business model or practices to adapt to these obligations, or to respond to further inquiries regarding our compliance with privacy and data protection laws, we could incur additional and significant expenses, which may in turn materially adversely affect our business, financial condition, and results of operations. Regulators in the United States such as the Department of Justice are also increasingly scrutinizing certain personal data transfers and have proposed and may enact certain data transfer restrictions, for example, the Biden Administration's executive order Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.

If we begin to offer products and services in the travel sector, we would face competition from different types of companies in the various markets and geographies where we may operate, including large and small companies in the travel and leisure space as well as broader service providers. We could face competition for content, consumers, advertisers, online travel search services, providers of travel, lodging, experiences, and restaurant reservation and related services. Current and new competitors can launch new services at a relatively low cost. In recent years, there has been a proliferation of new channels through which service providers can offer accommodations, experiences, restaurant reservations, and other travel related services. Competitors in this market may offer a variety of services similar to ours and, in some cases, may be willing to make little or no profit on a transaction, or offer travel services at a loss, in order to gain market share. Competitors could also have significantly greater financial, technical, marketing, and other resources; or may have more expertise in developing and facilitating such services. Competition could negatively impact our ability to successfully enter or otherwise compete in the travel sector, or hurt our ability to realize the full benefits of expansion into this sector.

We currently generate a portion of our revenue from advertising on our products and services, which is presented in our indirect revenue. We attract third-party advertisers because of our extensive GBTQ user base worldwide, among other factors. Any decrease or slower growth in our user base or user engagement may discourage new or existing advertisers from advertising on our products and services. The advertisers and advertising platforms control their respective development and operation, and we have little input, if any at all, into how their platforms operate. In addition, we largely do not have control over the type of advertisers or the content of their advertisements on our platform. Any deterioration in our relationship with these platforms, any changes in how they operate their platforms or in the requirements regarding the content on our platform, or any deterioration in the platforms' relationships with advertisers that advertise on our platform may materially adversely affect our advertising revenue. Any loss of existing advertisers or failure to attract new advertisers will materially adversely affect our business, financial condition, and results of operations. Our advertisers typically do not have long-term advertising commitments with us. The majority of our advertisers spend only a relatively small portion of their overall advertising budget with us. In addition, certain advertisers may view some of our products and services as controversial, experimental, or unproven. Advertisers will not continue to do business with us, or they will reduce the prices they are willing to pay to advertise with us, if we do not deliver ads and other commercial content in an effective manner, or if they do not believe that their investment in advertising with us will generate a competitive return relative to other alternatives. Moreover, we rely on the ability to collect and disclose data and metrics for our advertisers to attract new advertisers and retain existing advertisers. Restrictions, whether by law, regulation, policy, or any other reason, on our ability to collect and disclose data to our advertisers may impede our ability to attract and retain advertisers. Our ability to collect and disclose data may also be adversely affected by third parties, such as third-party publishers and platforms. See "- If the use of third-party cookies or other tracking technology is rejected by our users, restricted by third parties outside of our control, or otherwise subject to unfavorable regulation, our performance could be negatively impacted and we could incur significant revenue loss or increased costs." In addition, our advertising revenue could also be adversely affected by many factors both within and beyond our control, including: - decreased user access to and engagement with us through our products and services;- our inability to maintain or improve our analytics and measurement solutions that demonstrate the value of our ads and other commercial content;- adverse legal developments or user sentiment relating to advertising, online safety, data privacy, artificial intelligence, and collection of personal data for targeted advertising purposes, including legislative action, regulatory developments, and litigation;- adverse media reports or other negative publicity involving us or other companies in our industry. The occurrence of any of these or other factors could result in a reduction in demand for our ads and other commercial content, which may reduce the prices we receive for our ads and other commercial content, or cause advertisers to stop advertising with us altogether, any of which could negatively affect our business.

In addition to purchases through the Apple App Store and the Google Play Store, we accept payment from our users through certain third-party payment service providers. We expect to explore and implement additional payment mechanisms based in part upon Apple's recent announcement that it would allow app developers to process payments for subscriptions and other premium add-ons outside of Apple's payment system. See "-Risks Related to our Brand, Products and Services, and Operations-We rely primarily on the Apple App Store and Google Play Store for distribution of and access to our products and services, and as the channels for processing of payments. In addition, access to our products and services depends on mobile app stores and other third parties such as data center service providers, as well as third-party payment aggregators, computer systems, internet transit providers and other communications systems and service providers. If these third parties limit, prohibit, fail to operate, or otherwise interfere with the distribution or use of our products or services in any material way, or if our relationships with Apple, Google, or other such third parties deteriorate, it could materially and adversely affect our business, financial condition, and results of operations." The ability to automatically process credit card information or other account charges on a real-time basis without having to proactively reach out to the consumer each time we process an auto-renewal payment or a payment for the purchase of a premium feature on any of our products and services will be critical to our success and to a seamless experience for our users. When we or a third party experiences a data security breach involving credit card information, affected cardholders will often cancel their credit cards, meaning the payment information we store about them is no longer valid. In the case of a breach experienced by a third party, the more sizable the third party's customer base and the greater the number of credit card accounts impacted, the more likely it is that such a breach would impact our users. To the extent our users are affected by such a breach experienced by us or a third party, affected users would need to be contacted by us for us to obtain new credit card information to process any pending transactions with us. It is likely that we would not be able to reach all affected users, and even if we could, some users' new credit card information may not be obtained and some pending transactions may not be processed, which could materially adversely affect our business, financial condition, and results of operations. In addition, even if our users are not directly impacted by a given data security breach, they may lose confidence in the ability of our service providers to protect their personal data generally, which could cause them to stop using their credit cards online and choose alternative payment methods that are not as convenient for us or restrict our ability to process payments without significant cost or user effort. Moreover, if we fail to adequately prevent fraudulent credit card transactions, we may face regulatory investigation, litigation (including class claims) and mass arbitration demands, fines, governmental enforcement action, civil liability, diminished public perception of our security measures, significantly higher credit card-related costs and substantial remediation costs, or refusal by credit card processors to continue to process payments on our behalf, any of which could materially adversely affect our business, financial condition, and results of operations. Finally, existing-and the passage or adoption of any new-legislation or regulation affecting the ability of service providers to periodically charge consumers for, among other things, recurring subscription payments may materially adversely affect our business, financial condition, and results of operations. In addition, many U.S. states are considering similar legislation or regulation, or changes to existing legislation or regulation governing subscription payments. While we will endeavor to monitor and attempt to comply with these legal developments, we may in the future be subject to claims under such legislation or regulation. The occurrence of any of these or other factors could negatively and materially affect our business, financial condition, and results of operations.

We receive a high degree of media attention around the world, partly due to the social and cultural sensitivities associated with the particular demographic group that we serve, all of which has affected, and could in the future affect, the reputation and market perception of our brand. Regardless of its accuracy or authenticity, negative publicity concerning us,including media coverage regarding the actions of our users on or off our platform, our Terms and Conditions of Service or privacy practices, the quality or safety of our products and services (including, for example, our use of AI/ML technologies including generative AI), minors using our platforms, the actions of our advertisers or other partners, litigation or regulatory activity, and/or the actions of other companies that provide similar services to us, could materially and adversely affect our brand, which could, in turn, materially and adversely affect the size, engagement, and loyalty of our user base; our ability to attract and retain talent; and the number and quality of advertisers that choose to advertise on our platform. For example, since at least 2016, multiple news outlets and research groups have identified ways to allegedly determine the precise geolocation of users of Grindr and similar services. Although our users have the choice not to display their relative location in the Grindr cascade, trilateration (i.e., the process of estimating a user's location by combining the distance measurement from three points surrounding a user), is a common risk in location-based apps and could be perceived as a threat to users' location privacy in some jurisdictions. These risks have led to multiple regulatory inquiries. We cannot assure you that we will be able to defuse negative publicity about us and/or our services to the satisfaction of our users, advertisers, platform partners, and other stakeholders. If we fail to protect our brand or reputation, given our reliance on the strength of our brand and organic growth, we may experience material adverse effects to the size, demographics, engagement, and loyalty of our user base, resulting in decreased revenue, fewer Grindr mobile application installs (or increased Grindr mobile application uninstalls), fewer conversions to premium subscriptions, or slower user growth rates, among other negative effects. Negative publicity, especially when it is directly addressed against us, may also require us to engage in media campaigns that, in turn, may require us to increase our marketing expenses and divert our management's attention and may adversely impact our business and results of operations. If events occur that damage our brand and reputation and we fail to respond promptly or if we incur excessive expenses in these types of efforts, our business, financial condition and results of operations could be materially and adversely affected.

From the date of our Business Combination until March 5, 2025, our closing stock price ranged from $4.65 per share to $36.50 per share. The market price of our common stock could be subject to wide fluctuations in response to the risk factors listed in this section and others beyond our control. Further, stock markets may experience extreme price and volume fluctuations that can affect the market prices of equity securities. These fluctuations can be unrelated or disproportionate to the operating performance of those companies. In addition, transactions by us in our securities such as our recent redemption of all of our outstanding public and private warrants in February 2025 may introduce further volatility as the market responds. These broad market and industry fluctuations, as well as general economic, political and market conditions such as recessions, interest rate changes or international currency fluctuations, could harm the market price of our common stock.

We are testing a range of new initiatives across our core business and related to gayborhood expansion. There are no assurances that we will be successful in executing our strategies. Our efforts may prove more difficult than we currently anticipate. Further, we may not succeed in realizing the benefits of these efforts on our anticipated timeline or at all. In addition, as we implement our strategies, the macroeconomic environment, including inflationary pressures, higher labor costs, and changes in consumer and merchant behavior may make it more difficult to effectively execute our strategy. Even if fully implemented, our strategy may not result in growth or the other anticipated benefits to our business, financial condition and results of operations, and could divert management's attention away from our core business. If we are unable to effectively execute our strategy and realize its anticipated benefits, it could negatively impact our business, financial condition and results of operations.

While there has been substantial progress in the recognition and protection of LGBTQ rights in certain parts of the world, identification as LGBTQ remains stigmatized, marginalized, and deemed illegal in many regions, and the situation is getting worse in many places. We have faced and may continue to face serious incidents in which government authorities in certain countries use our products and services to persecute, arrest, and assault LGBTQ individuals under charges of "promoting sexual deviancy" and "inciting immorality," among others. Relatedly, in some places in the world criminal gangs and individuals may prey upon our users and other members of the LGBTQ community without deterrence because law enforcement may be unwilling to protect LGBTQ people from harm. In addition, some countries, including Pakistan and the Crimean Peninsula in Ukraine, have banned our products and services and the products and services of other companies that provide services for and promote the LGBTQ community. Access to our Grindr platform in other countries, such as China, Turkey, Lebanon, Indonesia, the United Arab Emirates, Saudi Arabia, and Qatar, may only be available through the use of services such as virtual private networks ("VPNs"), or via home wireless networks, thereby decreasing accessibility to our products and services. Adverse social and political environments for the LGBTQ community could limit our geographical reach, business expansion, and user growth, any of which could materially and adversely affect our business, financial condition, and results of operation. In addition, government authorities in various countries may seek to restrict user access to our products and services, if they consider us to be in violation of their laws, a threat to public safety, or for other reasons, including if they consider the content on our products and services to be immoral or indecent. If content shown on our products and services is subject to censorship, access to our products and services may be restricted (in whole or in part) in one or more countries, we may be required to or elect to make changes to our operations or other restrictions may be imposed on our products and services. If our competitors can successfully penetrate new geographic markets or capture a greater share of existing geographic markets that we cannot access or where we face other restrictions, our ability to retain, expand, and engage our user base and qualify advertisers may be adversely affected, we may not be able to maintain or grow our revenue as anticipated, and our business, financial condition, and results of operations could be materially adversely affected.

Although none of our employees are currently covered under a collective bargaining agreement, our employees may elect to be represented by labor unions. In July 2023, a labor union filed an election petition with the National Labor Relations Board ("NLRB") seeking to represent certain of our employees. Acting on the petition, the NLRB conducted a secret-ballot election in November and December 2023, which remained ongoing as of December 31, 2024, due to outstanding challenged ballots. On November 1, 2024, the local regional office of NLRB issued a complaint on certain unfair labor practice charges, which is currently scheduled for a hearing in late March 2025. This complaint is the first step in the administrative process and is not a finding of any wrongdoing, nor is it a decision or ruling of the NLRB. If a significant number of our employees were to become unionized, our labor costs could increase and our business could be negatively affected by other requirements and expectations that could increase our costs, reduce innovation, change our company culture, decrease our flexibility, and disrupt our business. In addition, a labor dispute or union campaign involving some or all of our employees, may harm our reputation, disrupt our operations, and result in legal expenses.