Everything covered,
nothing hidden.

Trading & Entity Information

CenoDigital is a brand operating through two legal entities depending on where the client is based.

UK operations · for UK clients

Ashif Ahamad Mohammed Azam · Sole Trader, trading as CenoDigital.
8 Ramsey Way, Leicester LE5 1SJ, United Kingdom.
[email protected] · +44 7448 382 774

Sri Lanka operations · for international clients

CenoDigital (Pvt) Ltd · Registered company, PV00355015 (registered 2026).
153 Main Street, Panagamuwa, Kurunegala 60052, Sri Lanka.
[email protected] · +94 75 13 15 188

The entity that contracts with you depends on your location and will be confirmed in your proposal and engagement letter.

Privacy policy

We collect the minimum personal data we need to reply to you and deliver projects. We don't sell data, ever. You can ask us to delete everything we hold on you at any time.

What we collect

Contact details you give us (name, email, phone, company), project files you share, invoicing details, and anonymous analytics about visits to cenodigital.com.

How we use it

To reply, scope and deliver projects, invoice, and occasionally send our monthly newsletter (only if you subscribed).

Where it lives

On our business Google Workspace (EU region), our Sri Lanka and UK bank providers for invoices, and the third-party tools listed in the Subprocessors section.

How long we keep it

For as long as our commercial relationship lasts, plus 7 years for tax and legal records, then we delete it.

Email [email protected] to access, correct or delete anything we hold on you. We confirm in writing within 7 days.

GDPR & data protection

CenoDigital is registered in Sri Lanka (PV00355015) and serves clients in the UK, EU and beyond. UK GDPR and EU GDPR apply to clients in those regions; Sri Lanka's Personal Data Protection Act (2022) and its applicable regulations apply to Sri Lankan operations.

Our lawful basis

(a) legitimate interest for replying to enquiries and portfolio communications, (b) contract performance for active client work, and (c) consent for the newsletter.

Your rights

You can access, rectify, erase, restrict, port or object to the processing of your personal data at any time, and you can withdraw consent without giving a reason.

International transfers

Our Sri Lanka team accesses project data only to do the work. Everyone on the team is bound by the same data handling obligations regardless of location.

How to complain

Write to us first at [email protected]. If you're unhappy with our response you can escalate to your local data protection supervisory authority.

Data processing (for clients)

When we deliver a project that involves personal data belonging to your users, customers or employees (a CMS, a booking form, a newsletter migration, analytics configuration, etc.), you are the data controller and we are the data processor.

What we commit to

We will only process that data on your documented instructions as set out in the Statement of Work, we won't use it for anything else, and we'll keep it secure at all times.

Breach notification

We'll notify you within 72 hours of becoming aware of any personal data breach affecting your project.

End of engagement

We return or delete all personal data at the end of the engagement, at your choice, and confirm in writing.

If your project involves personal data and you need a written DPA, email [email protected] before work starts and we will sort it.

Subprocessors

We use a small set of vetted third parties to run the business. Each operates under data protection terms consistent with UK and EU law.

Hetzner Online GmbH (Germany)

Infrastructure hosting for our self-hosted Nextcloud instance, where job-application CVs and internal project files are stored. Data sits in Falkenstein / Nuremberg, Germany. Hetzner is ISO 27001 certified and signs a GDPR §28 Data Processing Agreement.

Nextcloud (self-hosted)

Open-source file-sync platform we run ourselves on Hetzner. Applicants' CVs are uploaded here directly when submitted through the careers form.

Contabo GmbH (Germany)

Infrastructure hosting for our self-hosted Mailcow mail server, which handles transactional email for the careers form and internal ops. Data sits in Nuremberg, Germany. Contabo signs a GDPR §28 Data Processing Agreement.

Mailcow (self-hosted)

Open-source mail-server platform we run ourselves on Contabo. Carries application notifications and internal mail — nothing leaves our infrastructure.

Plausible Analytics (self-hosted)

Privacy-friendly web analytics we run on our own server on Contabo. Cookieless and anonymous — no personal data is stored.

Google Workspace (EU region)

Business email, calendar and document collaboration for the team. Client and applicant data is NOT stored here — only internal working files.

Cloudflare

DNS, CDN and static site hosting for most client deliverables.

Stripe & Wise

Card payments, bank transfers and GBP/LKR currency conversion for invoicing.

GitHub

Source code repositories and deployment automation.

Figma

Design collaboration and client review of visual work.

We will notify subscribed clients 30 days before adding a new subprocessor that would process their project data.

Cookie policy

We set two cookies — one to record your consent choice, and one to show prices in your local currency. No tracking, no advertising, no third-party cookies.

cd_consent

Records whether you accepted or declined the cookie notice. First-party, 1-year expiry, SameSite=Lax. This is a strictly necessary cookie — it exists solely to remember your choice so we don't ask again.

cd_country

Set only if you accept the cookie notice. Stores your country code (from Cloudflare's geo header) so we can display the right currency. First-party, 30-day expiry, SameSite=Lax. Never sent to any analytics or advertising platform.

What we don't use

No analytics cookies, no advertising cookies, no social-plugin cookies, no third-party trackers of any kind.

If you decline or block cookies

You can decline via the consent banner or block cookies in your browser at any time. The site works normally — you'll just see prices in the default currency (GBP).

Website terms of use

By using cenodigital.com you agree to the following baseline rules of engagement.

What you agree not to do

Copy, scrape or redistribute site content without written permission; attempt to bypass our infrastructure; submit contact-form content that is unlawful, misleading, or not from you; or use any CenoDigital trademark without our consent.

No warranty

The site is provided "as is" without warranty of any kind. We try hard to keep it accurate but we're not liable for reliance on third-party information linked from it.

Governing law

These website terms are governed by the laws of England & Wales for UK visitors and Sri Lanka for Sri Lankan visitors, without prejudice to your local consumer rights.

Service terms (MSA summary)

Our client work runs under a short Master Services Agreement referenced inside every Statement of Work. Here's the operational summary — the full MSA is sent with every proposal.

Scope and price

Fixed in the Statement of Work before work begins. No hourly billing, no surprise invoices.

Payment terms

50% upfront and 50% on launch, net 14 days, in GBP for UK clients and LKR for Sri Lankan clients unless otherwise agreed.

Deliverables

You own all deliverables (designs, code, content) free and clear once the final invoice clears.

Licence we retain

We retain a licence to the pre-existing tools, components and know-how we bring to the project.

Change requests

Anything outside SOW scope is quoted separately before work starts — no creep, no surprises.

Termination

Either party can terminate for material breach with 14 days' written notice to cure.

Liability cap

Our liability is capped at the fees paid in the 12 months preceding the claim, except for fraud, death, or personal injury.

Governing law

England & Wales for UK clients and Sri Lanka for Sri Lankan clients.

Intellectual property

You own it once you've paid for it. Once the final invoice clears, everything we built for your project is yours — no ongoing fees, no restrictions.

What transfers to you

Designs, copy written by us, source code, and compiled assets created specifically for your project.

What stays ours

Pre-existing IP — our internal CSS framework, reusable component library, process documents and templates. You get a perpetual, non-exclusive licence to use it as part of your deliverable.

Third-party assets

Fonts, icons, stock imagery and open-source libraries remain owned by their respective licensors. We use only those with a licence that permits your intended use and we document them in the handover.

Content you supply

Please only share content, images or data you have the right to use. If a third-party claim arises from material you provided, that sits with you, not us.

Confidentiality & NDA

We treat every client relationship as confidential by default. Mutual confidentiality is built into every engagement without needing a separate document.

Our standard commitment

We won't share your commercial information, strategy, internal data or anything marked confidential outside of our named project team, and you won't share ours.

Signed NDA on request

If you need a signed NDA before our first call, email [email protected] and we will send one over the same day.

Standard exclusions

Information already public, information independently developed, and disclosures required by law or regulator.

Duration

The life of the engagement plus 3 years afterwards.

Breach consequences

Breaking confidentiality is grounds for immediate termination and damages.

Portfolio & case-study rights

Unless a signed NDA says otherwise, we retain the right to reference our work with you in our portfolio, case studies, proposals, social media, and industry publications.

What this covers

Visual previews of the live site or brand, your logo, aggregated performance metrics where you've shared them, and a short written summary of the engagement.

What it doesn't cover

Any customer data, internal systems, unreleased products, pricing that isn't publicly listed, or anything marked confidential.

Takedown policy

You can ask us to remove a portfolio piece at any time and we will, within 7 days, no reason required.

Day-one opt-out

If you'd prefer no portfolio use from day one, flag it before the SOW is signed and it becomes a contract term.

Accessibility statement

We design and build to WCAG 2.2 Level AA as a minimum on every project unless a client opts for a different target.

How we test

Every release is tested with axe-core, keyboard-only navigation and a screen reader — NVDA on Windows, VoiceOver on macOS — before launch.

Known limitations

Listed on the Accessibility page within individual project deliverables and on cenodigital.com's accessibility footer link.

Third-party embeds

Maps, social widgets and similar components are only used where they meet AA. Where they don't, we substitute static alternatives.

Reporting a barrier

If you hit an accessibility issue on any site we built, email [email protected]. We acknowledge within 2 business days and patch blocking issues within 10 working days where the site is under an active retainer.

Security & responsible disclosure

We keep the surface area small on purpose and bake security into tooling rather than bolting it on afterwards.

Internal baseline

SSO-protected tooling, unique passwords in a business password manager, 2FA on every service that supports it, encrypted laptops, and a documented off-boarding checklist when people leave.

Hosted client sites

HTTPS-only by default, HSTS, and Content Security Policy.

Responsible disclosure

If you've found a vulnerability in any CenoDigital property or a site we built, email [email protected]. We confirm within 24 hours, work with you on a fix, and credit you publicly (with your consent) when it's resolved.

No paid bug bounty

We don't run a paid bug bounty programme, but we'll send a CenoDigital pack and a public thank-you for every valid, good-faith report.

AI tools

We use AI tools to assist with code, copy drafts and ideation. Every deliverable is reviewed, refined and owned by us before it reaches you.

What we use AI for

Drafting copy, generating code scaffolding, brainstorming ideas, and speeding up repetitive tasks. AI output is always a starting point, not a finished deliverable.

Your data stays yours

We do not feed your confidential briefs, content, or data into third-party AI models. Internal working files stay on our own infrastructure.

If you want AI-free delivery

Flag it before the SOW is signed and we will note it as a project term.

Acceptable use

If you're using a site or service we host on your behalf, the following rules apply.

Prohibited content

Content that is unlawful, defamatory, harassing, infringing, or in breach of privacy rights.

No unsolicited commercial email

Don't use the service to send spam or bulk unsolicited commercial email.

No bypass attempts

Don't attempt to bypass authentication, rate-limits or billing controls.

No malware or attacks

Don't host malware or run a service that amounts to an attack on a third party.

Special-category data

Don't process health or biometric personal data without giving us written notice and agreeing additional safeguards.

We can suspend any service that breaches this policy without refund, and we'll notify you and give you a reasonable chance to cure where the breach is accidental.

Refunds & cancellations

Our cancellation policy is designed to be fair to both sides — it protects your deposit where work hasn't started and protects our calendar where it has.

Deposits

Non-refundable after discovery starts because we immediately hold calendar space and commit senior time.

Before the first design review

You can cancel with 7 days' written notice. You owe us the pro-rata value of work done, invoiced against the deposit; any remainder is non-refundable.

After the first design review

The full SOW fee is due and non-refundable.

If we miss a deadline

If we miss a deadline by more than 14 days through our fault (not yours), you can cancel and receive a refund of any fees paid for the undelivered portion.

UK cooling-off

UK consumer clients have a statutory 14-day cooling-off period from SOW signature. Once work starts at your request, that period ends.

Complaints procedure

If something goes wrong, tell us quickly and directly. We want to fix it, not defend it.

Step 1 — direct contact

Email the senior designer or engineer on your account. Most issues are resolved within 48 hours.

Step 2 — escalate to founders

If that doesn't resolve it, escalate to [email protected]. We acknowledge within 1 business day and respond with a formal position and a proposed remedy within 10 business days.

Data-protection complaints

You can contact your local data protection supervisory authority at any time without going through us first.

Referral policy

We pay 10% of the first invoice of any qualified referral, minimum £100, 14 days after the client pays us.

What counts as qualified

The referred business signs a SOW with us of £1,000 or more within 90 days of the introduction.

No stacking

Referral fees don't combine with partner-tier commissions. Whichever is higher applies.

Compliance

Not applicable where your organisation prohibits receiving referral payments.

Full terms on the Partner page.