Does WIN have an obligation to provide security or protection for a Bonchon customer's privacy, confidential information, or data?

According to Bonchon's 2025 Franchise Disclosure Document, WIN (presumably a service provider to Bonchon franchisees) generally has no obligation to provide security or protection for a customer's privacy, confidential information, or data, except as expressly provided in WIN's privacy policy and by law. This means that Bonchon franchisees cannot generally rely on WIN to ensure the security of customer data unless specifically outlined in WIN's privacy policy or required by applicable laws.

This disclaimer of obligation places the responsibility for data security and privacy largely on the Bonchon franchisee. Franchisees must implement their own security measures to protect customer information. This includes understanding and complying with relevant data protection laws and industry standards.

However, if a Bonchon customer notifies WIN that they are a Covered Entity or Business Associate under HIPAA and that their content includes Protected Health Information (PHI), and WIN determines it is rendered a Business Associate, then the parties will execute WIN's Business Associate Agreement. If the customer does not notify WIN, then WIN has no obligation to provide services in compliance with HIPAA. This highlights the importance of franchisees understanding their obligations under laws like HIPAA and communicating those obligations to service providers like WIN to ensure compliance and data protection.