Vincent, I think it's possible private apps don't get the rate limit headers. If your app code is executed in a single thread/process, it may be relatively simple to just code a "defensive" approach where you set a counter to 40 and record the start time, and then every time you're about to fire an API request:
1) subtract 1 from counter for the request
2) if counter is at 0, calculate time elapsed since start in seconds N, add N*2 to the counter (never exceeding 40). reset timer to now
3) if you're still at 0, sleep for 1 second and go back to 2.