1. Controller
The controller within the meaning of the GDPR and the Swiss Federal Act on Data Protection (nDSG) is:
Andrin Iten & Max Diez, Kirchgasse 30, 8872 Weesen, Switzerland
Email: andrin@iten.to
2. Data we process
Account data: email address, name, password hash (stored by Firebase Authentication).
Usage data: API requests, character counts, dialect and voice selections, timestamps. Used solely for billing and rate-limiting.
Technical data: IP address, browser type, access times, collected automatically by our infrastructure for security and stability.
3. Audio and text data
Text sent to our API is processed in real time and deleted immediately after audio generation. We do not store, log, or use your text or audio for model training. No audio content is retained after delivery.
4. Purposes and legal basis
We process data to provide the TTS service (Art. 6(1)(b) GDPR, contract performance), to comply with legal obligations (Art. 6(1)(c) GDPR), and for legitimate interests such as security and fraud prevention (Art. 6(1)(f) GDPR).
5. Data location
Account and usage data are stored on Google Cloud / Firebase infrastructure. Speech synthesis (Modal) and text normalisation (Google Gemini) are performed by specialised providers that may process your submitted text outside Switzerland. We remain a Swiss controller under the nDSG; submitted text and generated audio are not stored or used for training.
6. Third-party services
Google Cloud Platform / Firebase: Infrastructure, database, and authentication, on the basis of a Data Processing Agreement.
Modal (Modal Labs, USA): TTS compute — your submitted text is processed to generate audio and is not retained afterwards.
Google (Gemini API): Text normalisation before synthesis — your submitted text is processed and not retained.
Google Fonts: Fonts loaded from Google servers; your IP address is transmitted to Google. No cookies are set by Google Fonts.
Font Awesome: Icons loaded from Cloudflare CDN. No personal data is stored.
Google Analytics (Google Ireland Ltd.): anonymous reach and usage statistics — only with your consent.
7. Cookies
We use technically necessary cookies (session authentication, CSRF protection) and — only with your consent — Google Analytics cookies. A cookie banner appears on your first visit; without consent no analytics cookies are set (Google Consent Mode v2). No advertising cookies. See our Cookie Policy for details and how to withdraw.
8. Data security
All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256. Access is restricted to authorised personnel on a need-to-know basis.
9. Retention periods
Account data is retained for the duration of the contractual relationship and deleted within 30 days of account deletion. Usage data for billing purposes is retained for 10 years as required by Swiss law. Text and audio: no retention (processed in real time and immediately deleted).
10. Your rights
You have the right to: access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), objection (Art. 21), and withdrawal of consent (Art. 7(3)).
To exercise your rights, contact us at andrin@iten.to.
11. Right to lodge a complaint
You have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with the supervisory authority in your EU member state of residence.
12. Changes
We reserve the right to update this privacy policy. We will notify you of material changes by email or a notice on our website. The date of last update is shown at the top of this page.