When processing end-user PII data (I see email address combined with IP address) you need a privacy policy. When registering the website owner doesn't seem to have to agree to a terms-of-service governing the processing, so who owns the data isn't specified.<p>The API seems to return HTML documents on error, e.g. curl <a href="https://tuemilio.com/api/v1/lists"" rel="nofollow">https://tuemilio.com/api/v1/lists"</a> when not authenticated.<p>The API has X-RateLimit-Limit headers. Those aren't explained in the documentation.