Exhibit 99.3

UPDATED INFORMATION RELATING TO ALIBABA GROUP

Equity Incentive Plans

2024 Plan

Our 2024 Equity Incentive Plan (the “2024 Plan”) was approved at our annual general meeting of shareholders held in August 2024 to replace our 2014 Post-IPO Equity Incentive Plan, which expired on September 18, 2024. The 2024 Plan provides for the granting of restricted share units, restricted shares, options (in the form of incentive stock options and non-statutory stock options) and share appreciation rights, that may vest or be exercised into ordinary shares, par value US$0.000003125 per share (“Shares”) (including in the form of ADSs). The 2024 Plan is funded by the new issuance of ordinary shares or the transfer of treasury shares, as applicable and determined by us. The 2024 Plan is subject to the requirements of Chapter 17 of the Hong Kong Listing Rules. For a summary of the key terms of the 2024 Plan, see “ Exhibit 99.2 – Proxy Statement for Annual General Meeting” to our current report on Form 6-K furnished to the Securities and Exchange Commission on July 5, 2024.

The maximum aggregate number of Shares (including any transfer of treasury shares) which may underly options and awards under the 2024 Plan is 483,000,000 Shares (equivalent to 60,375,000 ADSs), representing approximately 2.58% of the number of issued Shares (as issued and outstanding) of our company, excluding treasury shares, as of the adoption date of the 2024 Plan.

Within the 2024 Plan scheme limit, the maximum aggregate number of Shares which may be issued (or transferred, in the case of treasury shares) in respect of all options and awards to be granted under the 2024 Plan to service providers is 93,716,368 Shares (equivalent to 11,714,546 ADSs), representing approximately 0.50% of the number of issued Shares (as issued and outstanding) of our company, excluding treasury shares, as of the adoption date of the 2024 Plan.

1 

2024 Plan (Existing Shares)

The 2024 Equity Incentive Plan (Existing Shares) (the “2024 Plan (Existing Shares)”) was approved by our board of directors in August 2024. It provides for the granting of restricted share units, restricted shares, options (in the form of non-statutory stock options) and share appreciation rights, that may vest or be exercised into ordinary shares (including in the form of ADSs). The 2024 Plan (Existing Shares) is funded by existing Shares, and therefore it does not constitute a scheme involving the issue of new Shares as referred to in Chapter 17 of the Hong Kong Listing Rules and is only subject to the applicable disclosure requirements of Rule 17.12 of the Hong Kong Listing Rules.

The maximum number of options and awards available for grant under the 2024 Plan (Existing Shares) was 517,000,000 Shares (equivalent to 64,625,000 ADSs), representing approximately 2.6% of the number of issued Shares (as issued and outstanding) of our company, excluding treasury shares, as of the adoption date of the 2024 Plan.

Potential Disposition of Sun Art

On September 27, 2024, the board of directors of Sun Art Retail Group Limited (“Sun Art”), a majority-owned subsidiary of our company listed on the Main Board of the Hong Kong Stock Exchange (Stock Code: 6808), received an approach letter from a potential offeror (the “Potential Offeror”) who expressed an intention to make a pre-conditional voluntary conditional offer (the “Possible Offer”) for all the issued shares of, and an option offer to cancel all outstanding share options issued by, Sun Art, subject to various matters. To our knowledge, (i) discussions with the Potential Offeror as to the key terms of the Possible Offer for the purpose of any irrevocable undertaking are ongoing, (ii) we are also in discussions with several other parties, and (iii) the discussions may or may not lead to any agreement or transaction.

2 

Update on Regulation of Data and Privacy Protection

On September 30, 2024, the State Council released the Regulation on Network Data Security Management, which will come into effect on January 1, 2025. The Regulation on Network Data Security Management revised the draft regulations and provide detailed operational guidelines for the implementation of the PRC Cybersecurity Law, Data Security Law, and Personal Information Protection Law. According to the Regulation on Network Data Security Management, data processors shall identify and report the type of important data involved in their business pursuant to relevant guidelines, and processors of important data shall adopt specific measures to secure important data, such as designating the personnel and management body responsible for network data security, conducting risk assessment and submitting annual risk assessment reports to relevant authorities. Failure to protect important data, including failure to identify and report the type of important data, can lead to administrative penalties, including fines, suspension of business operations, and revocation of business licenses. The Regulation on Network Data Security Management also requires companies processing personal information of 10 million individuals or more to implement additional measures on personal information protection, including but not limited to, designating the personnel and management body responsible for network data security.

In terms of network platform governance, the Regulation on Network Data Security Management imposes compliance obligations on network platform service providers, in particular, overseeing the network data security practice of third parties who provide products or services on the platform and bearing legal liabilities when such third parties’ network data processing activities violate applicable laws or the platform rules and causes damage to users. Large network platform operators with (i) over 50 million registered users or more than 10 million monthly active users; (ii) complex business models and (iii) whose network data processing activities may significantly impact national security, economic operations and public welfare, shall publish annual social responsibility report on personal information protection, and shall not carry out unfair or deceptive practices such as collecting and processing user data through misleading, fraudulent, or coercive means, unjustified restrictions on user data access, and unreasonable differential treatment of users.

3