What are the specific requirements for protecting customer data and complying with privacy laws in the operation of the Fitstop franchise, and how are these requirements enforced?
Fitstop Franchise · 2024 FDDAnswer from 2024 FDD Document
any non-material upgrades.
If not part of the POS system, at your cost and expense, you must investigate and ensure that you comply with all payment card industry ("PCI") and data security standard ("DSS") standards, regulations, and requirements. You must meet the requirements of, and comply with enhancements and changes to, the PCI and DSS and maintain PCI compliance with the current version of the PCI and DSS. You are responsible for using all required tools, systems, and vendors to complete ongoing PCI requirements including quarterly external security scans and annual self-assessment questionnaires. You are solely responsible for all costs relating to PCI compliance and data security issues, such as security threats, breaches, and malware. It is your responsibility to alert us, not later than 24 hours following a suspected or confirmed data security breach, so that appropriate action can be taken to protect customer data and notify relevant parties. You are not permitted to collect, store, transfer, etc. any unnecessary customer information.
We reserve the right to require that you purchase a security system to protect your Franchised Business and provide us with notice once it has been installed. We may require you to install a compliance monitoring system in your location at reference points designated by us. We may also require you to install a compliance monitoring system, which is not a security system but is a management and quality assurance tool. Both you and we will have the right to online access to the compliance monitoring system. By installing the compliance monitoring system, you and your employees are waiving any rights to privacy. You agree to require all your employees to sign a waiver of their right to privacy with respect to the use of any such compliance monitoring system. Please note that while we reserve the right to require this system to be implemented at your Franchised Business in the future, we do not typically require this kind of system as part of our Required Items as of the Issue Date.
ITEM 12: TERRITORY
Designated Territory
As of the Issue Date, we expect and intend to grant you certain territorial rights within a geographical area that will be designated in your Franchise Agreement at the time you execute the same, which we refer to as your "Designated Territory" throughout this Disclosure Document.
Subject to our reserved rights set forth more fully below in this Item, we will not open or operate, or license any third party a license to own or operate, a System Business that operates under the Proprietary Marks from a premises that is physically located within your Designated Territory. You will be afforded this territorial right until such time that the Franchise Agreement governing the Designated Territory at issue expires or is terminated.
As of the Issue Date, we expect that a typical Designated Territory will contain a population of approximately 40,000. We do not, however, have a minimum geographical area that we must afford to a given System franchisee, and we expect that your Designated Territory will vary from the territory granted to other System Business owners due to variance in the population, demographics, corporate/work population and density, proximity of competitors and/or related historical market saturation information. When analyzing and/or determining your Designated Territory on population, we will use publicly-available data and information published as part of the U.S. Census Bureau or comparable source/organization when analyzing the population and other demographics of the area surrounding your Designated Territory.
In certain situations where you have not secured an approved Premises at the time your Franchise Agreement is executed, we may determine to (i) designate a Designated Territory wherein you must locate and secure that Premises, and (ii) adjust the boundaries of the Designated Territory to a comparable geographical region that immediately surrounds the Premises, which we will provide to you in writing as part of our response to our site proposal so you can evaluate before securing the proposed site (if and as we determine appropriate).
What This Means (2024 FDD)
According to Fitstop's 2024 Franchise Disclosure Document, franchisees must adhere to several requirements to protect customer data and comply with privacy laws. Fitstop requires franchisees to comply with Payment Card Industry (PCI) and Data Security Standard (DSS) regulations, covering all associated costs. Franchisees must use required tools and systems for ongoing PCI compliance, including quarterly security scans and annual self-assessment questionnaires. They must alert Fitstop within 24 hours of any suspected or confirmed data security breach. Franchisees are not allowed to collect or store unnecessary customer information.
Fitstop also outlines specific obligations regarding personal information. Franchisees must notify Fitstop immediately if they suspect any unauthorized use or disclosure of personal information. They must comply with Fitstop's directions to protect personal information and assist in compliance with privacy laws. Franchisees need to obtain necessary consents from individuals providing personal information. Member information must be collected as specified in the manuals, stored appropriately, and provided to Fitstop as required. Fitstop may establish and maintain a member database.
To further protect confidential information, Fitstop requires franchisees to treat all confidential information as proprietary and take precautions against unauthorized dissemination. Franchisees must ensure their employees with access to confidential information sign a confidentiality and non-competition agreement, which identifies Fitstop as a third-party beneficiary with independent enforcement rights. Franchisees are responsible for keeping the required software, the CMS (presumably Customer Management System), and computer hardware secure from unauthorized use. They must also ensure that this software and the data are used only for authorized purposes and not modified or reverse engineered. Franchisees must provide Fitstop with access to their computer systems, including passwords, for monitoring and auditing purposes.