Problem

From time to time, we ban using iptables bots that crawl our dataset through the API or the website (even though the data can be freely accessible on /data page).
We currently don't have any rate limit policy. Before setting up a rate-limiter, it is necessary to define rate-limits that users should respect, so that we can rate-limit them (once we have a rate-limiting mechanism in place) or block their requests in the meantime.
Our current approach is not fair to users, as we never told them how many requests they can make on our API.

On Open Food Facts, we receive ~3000 requests / min.
With this metric in mind, I suggest the following rate limit: 30 req/min on product page and product API calls (1% of all requests). If our reusers have a higher traffic, they can still set up a cache to avoid hitting our database everytime.