What file formats can I upload for audiobook conversion?

Tontaube supports PDF, TXT, DOCX, EPUB, and other popular document formats. Our AI processes these files to extract text for high-quality audio conversion.

How does the credit system work for generation?

Credits are our in-app currency for text-to-speech and cloning. Pricing depends on text processing and voice selection. Expect an equivalent of $0.20-$2 per hour of audio.

Can I use my audiobooks commercially?

Yes! You retain full rights. Audiobooks created from your own texts can be downloaded, used commercially, or published elsewhere without restrictions.

What is AI text optimization?

Our optional AI enhancement uses AI models to optimize text for audio by removing metadata and formatting headers for a better listening flow.

How does Voice Cloning work?

By providing a short audio sample, Tontaube creates a digital clone of your voice. You can then use this voice to narrate any document or book. Your voice will stay private and only you have access to it.

Privacy Policy for Tontaube API

Version: 19 March 2026

We, Cremer & Cremer Technologies UG (haftungsbeschränkt), located in Berlin, Germany, take the protection of your personal data seriously. This Privacy Policy informs you how we collect, process, and protect your data in connection with the use of our text-to-speech Application Programming Interface (the “API”) and related developer services (collectively, “Services”).

The processing is carried out in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

Important Distinction: Controller vs. Processor

When you create an account, purchase credits, or contact support: We act as the Data Controller for your account and billing information. This Privacy Policy applies to this data.
When you send text or voice samples to our API for processing: We act as your Data Processor. The handling, security, and routing of your API payload (Input and Output) is governed entirely by our Data Processing Agreement (DPA), not this Privacy Policy.

1. Controller

The controller responsible for data processing within the meaning of the GDPR is:

Cremer & Cremer Technologies UG (haftungsbeschränkt)
Herderstraße 22, 12163 Berlin, Germany

Data Protection Contact:
Jonathan Cremer
Email: data-protection@craitech.io

2. Categories of Personal Data We Collect & Legal Bases

We only collect data that is necessary to provide, secure, and bill for our API services. We base our processing on the following legal bases of the GDPR (Art. 6).

(a) Account & Registration Data

Data: Email address, password (hashed), developer name or company name.
Purpose: To create and manage your API access, authenticate you, and provide API keys.
Legal Basis: Fulfillment of contract (Art. 6(1)(b) GDPR).

(b) Billing & Payment Data

Data: Transaction IDs, added balance amount (in USD), billing country, VAT ID. (Note: Actual credit card details are processed directly by our Merchant of Record, Paddle, and never touch our servers).
Purpose: To fulfill your balance top-ups, allocate funds to your account, and maintain legal accounting records.
Legal Basis: Fulfillment of contract (Art. 6(1)(b) GDPR) and legal obligation (Art. 6(1)(c) GDPR).

(c) API Telemetry & Backend Log Data

Data: IP address, User-Agent, API keys used, request timestamps, endpoint URLs accessed, HTTP status codes, error rates, and balance consumption per request.
Purpose: To meter your usage for billing, enforce rate limits, prevent DDoS attacks, detect fraudulent activity, and debug backend API errors.
Legal Basis: Fulfillment of contract (Art. 6(1)(b) GDPR) and our legitimate interest in securing and technically optimizing our infrastructure (Art. 6(1)(f) GDPR).

(d) Communication & Support

Data: Your email address, name, and the content of your support requests or bug reports.
Purpose: To resolve technical issues and answer your questions.
Legal Basis: Fulfillment of contract (Art. 6(1)(b) GDPR) and legitimate interest in providing customer service (Art. 6(1)(f) GDPR).

3. Recipients of Your Data

To provide our API and developer platform, we rely on trusted third-party service providers.

3.1 Independent Controllers (Merchant of Record)

Paddle (Paddle.com Market Limited / Paddle Payments Ltd): Paddle acts as our Merchant of Record. When you add balance to your account, your payment details are transferred to Paddle on the basis of Art. 6(1)(b) GDPR (fulfillment of contract). Paddle then acts as an independent Data Controller for your payment details and invoicing data to comply with its own global tax, financial, and regulatory obligations.

We use the following processors to host our developer platform and route your requests. They process data exclusively according to our instructions:

Google Cloud Platform / Firebase (Google Ireland Ltd.): Hosting our frontend (Firebase Hosting), user databases, authentication backend, and API gateways.
(Note: For a list of Sub-processors that handle the actual text/audio payloads sent to the API, such as OpenAI or RunPod, please refer to our DPA).

3.3 Other Disclosures

We only transmit your data to authorities or courts when legally required to do so, or to legal successors in the event of a merger or acquisition.

4. International Data Transfers

Some of our infrastructure providers operate globally. We ensure that any transfer of personal data outside the European Economic Area (EEA) is protected by:

The EU-US Data Privacy Framework (DPF) for certified US companies (e.g., Google LLC).
The Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by technical safeguards like encryption.

5. Storage Periods

We store your data only as long as necessary for the stated purposes:

Data Type	Retention Period	Reason
Account Data	Until account deletion + 14 days	Contract fulfillment and system synchronization.
API Telemetry & Logs	Up to 30 days	Security analysis, debugging, and rate limit enforcement. Fully anonymized statistics may be kept indefinitely.
Billing & Invoice Data	10 years	Mandatory retention under German commercial and tax law (§ 257 HGB, § 147 AO).
Support Correspondence	6 years	Mandatory retention for business correspondence (§ 257 HGB).

6. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15 GDPR): Request a copy of your stored data.
Right to rectification (Art. 16 GDPR): Correct inaccurate data.
Right to erasure (Art. 17 GDPR): Request deletion of your account and data, provided no legal retention obligations (like tax laws) prevent it.
Right to restriction (Art. 18 GDPR): Restrict processing under certain conditions.
Right to data portability (Art. 20 GDPR): Receive your account data in a machine-readable format.
Right to object (Art. 21 GDPR): Object to processing based on legitimate interest (Art. 6(1)(f)).

To exercise your rights, please email us at data-protection@craitech.io.

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The authority responsible for us is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59–61, 10555 Berlin, Germany
Website: https://www.datenschutz-berlin.de

7. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect technical, legal, or operational changes to our API. We will notify you of material changes via email or through an announcement in the developer dashboard before the changes take effect.