Xollo.Build Proposal
Build proposal·v3.0· 14 July 2026·Prepared for George P.

Let's build Xollo.

A cold-DM automation platform for X, built on Apify end to end, with our own browser extension handling the account connection. Thirteen weeks, fixed price, working product on your domain at the end of it.

Duration
13 weeks
Fixed price
$16,500
Milestones
9
Cost per customer
~$16/mo
Target margin
~80%
The approach

No X API. No approval queue. No $0.015 a message.

The official X API charges $0.015 to send a single DM and $0.010 to check for a reply. It also no longer permits follow, like or quote-post writes on any self-serve tier, and X's published developer policy explicitly refuses applications for bulk outreach automation. Building on it means asking permission for a product they have already said they will not permit, then carrying a fully loaded cost of about $66 a month per customer for the privilege.

So we are not building on it. Xollo runs entirely on Apify, driving X the way a person's browser drives it. That removes the approval risk, removes the follow-and-like limitation, and drops the fully loaded cost to serve a customer from about $66 a month to about $16.

We use existing Apify actors wherever one does the job, which is almost everywhere. If a function has no good actor, we write a small one to fill the gap, rather than building the whole send stack from scratch. Less to build, less to maintain, and nothing hand-rolled that a store actor already does well.

The one thing this architecture needs is the customer's X session. So rather than sending people off to a random Chrome cookie-exporter extension and asking them to paste a raw token string into a text box, we build our own extension: Xollo Connect. One click, no copy and paste, session health monitored, expiry caught before it breaks a campaign. It is the difference between a product and a script.

01 — Approach

Three things we do differently to everyone else in this category.

DecisionWhat most tools doWhat Xollo does
Account connection Tell the customer to install a third-party cookie exporter, find two cookie values in DevTools, and paste a raw string into a form. Xollo Connect, our own extension. One click. The customer never sees a token. Session health and expiry are monitored and surfaced before a campaign breaks.
Automation actors Depend on one community Apify actor with no fallback, so when it breaks the product breaks. Use the existing store actors that already do each job, with a second actor configured as a fallback for every function. If a gap has no good actor, we write a small one to fill it. Nothing built that a store actor already does.
Account safety Blast a fresh account at full volume on day one and watch it get locked. Warm the account up first. A warm-up actor spends one to two weeks browsing, liking and following gradually to build the account's standing, then Xollo sends within a conservative fixed daily cap. No guessing, no probing for a hidden limit.

Warm up first, then send inside a safe cap

New X accounts that immediately start sending cold DMs get locked. The fix is not to guess how far you can push a cold account, it is to not send from a cold account at all. So Xollo warms an account up before it sends anything.

A warm-up actor runs human-like activity for one to two weeks: scrolling, liking a few posts a day, following a handful of relevant accounts, the ordinary behaviour of a real new user. That builds the account's standing with X and raises the volume it can sustain. Only then does Xollo start sending, and it sends inside a conservative daily cap rather than trying to find the edge. Warm-up automation like this already exists on Apify, so this is configuration and orchestration, not new research. It also means we are not gambling the product on discovering an undocumented limit, which was the riskiest idea in the earlier plan.

Warm-up, then send
Raise the account's standing first. Then send inside a safe cap.
SAFE CAP · CONSERVATIVE
Lock zone
Phase
Warming up
Account standing
Building
Safe daily cap
Sent today
0

A cold account sending cold DMs gets locked. Xollo spends the first week or two making the account look like a real, active user, which raises the ceiling before we ever use it. Then it sends well inside that raised limit. Slower to first DM, far less likely to lose the account.

02 — Xollo Connect

Our own extension, not somebody else's.

This is the piece that turns a technically-working script into something a customer will actually pay for and stay subscribed to.

Chrome MV3 · Firefox to follow

Every competitor in this space onboards the same clumsy way: install Cookie-Editor, log into X, export a headers string, paste it into a text box, and re-do the whole thing every few weeks when it silently expires. Half your support tickets will be about that flow, and a good share of your churn will be people who could not be bothered doing it again.

Xollo Connect replaces it entirely.

  • One-click connect. The customer clicks Connect, and the extension captures the session for the X account they are already logged into. No DevTools, no copy and paste, no token ever shown to a human.
  • Session health monitoring. The extension checks the session is still valid and reports status back to the dashboard. A campaign never dies silently.
  • Expiry caught early. When the session is close to expiring, the customer gets a notification and reconnects with one click, before a campaign stalls rather than after.
  • Multi-account. Connect several X accounts from one extension, switch between them, see each one's health independently.
  • One-click disconnect. Revokes on our side and wipes locally. The customer stays in control and can see that they are.
  • Account health surfaced in the popup. Sends today, the safe daily cap, and a plain-English health readout, without opening the dashboard.
Xollo Connect · extension popup

One decision I need from you: where does the session live?

Google treats authentication credentials as a sensitive data category. An extension may collect them, but the Chrome Web Store's Limited Use policy restricts what you may then do with them, and a reviewer will cross-check the manifest against the privacy policy against the dashboard disclosures. Any mismatch is a rejection. So this choice is not only about security, it is about whether the extension gets published at all.

Option 1
Server-side session
Runs when browser closedYes
SchedulingFull
You hold credentialsYes, all of them
Breach exposureTotal
Store review riskElevated
The simple one, and what most tools do. It also makes you the custodian of thousands of live X accounts.
Option 2
Hybrid: local first, server as fallback
Runs when browser closedYes, if enabled
SchedulingFull
You hold credentialsOnly on opt-in
Breach exposureReduced
Store review riskDefensible
Sends run in the customer's browser when it is open. Customers who want 24/7 sending explicitly opt into server-side, with the trade-off stated on screen. Most will. But you can say honestly that it is their choice, and the ones who care can keep the key.
Option 3
Local only
Runs when browser closedNo
SchedulingLimited
You hold credentialsNever
Breach exposureNone
Store review riskLow
The safest product and the weakest one. Campaigns stop when the laptop shuts. Hard to sell to an agency running five accounts.

My recommendation is Option 2. It is the only one that gets you a sellable product and a defensible answer when a customer, a reviewer, or an acquirer asks what you do with their session. Whichever we pick, sessions are envelope-encrypted with a managed key, never logged, never in URL parameters, and deletable in one click. That is not a nice-to-have here, it is the difference between a bad week and a company-ending week.

03 — Architecture

How it fits together.

Green is code we own. Orange is the hard engineering. Red is the part that holds credentials and therefore gets the most attention.

Customer
Web app
Next.js on Vercel
Dashboard, lead table, sequence builder, reply inbox, analytics.
Extension
Xollo Connect
Chrome MV3. One-click connect, session health, expiry alerts, one-click disconnect.
Supabase
Auth
Customer login
Email and Google.
Database
Postgres
Leads, campaigns, sends, replies, bookings, credits.
Vault
Session store
Envelope-encrypted, managed key, never logged, one-click wipe. Opt-in only.
Realtime
Live dashboard
Send counts and replies stream in.
pgmq
Job queue
Every pending action with a run-after timestamp.
Node worker · Railway or Fly.io
Scheduler
Cap + pacing
Holds each account to a conservative daily cap with human-like spacing. Pauses if sends start failing.
Dispatcher
Actor runner
Fires Apify actor runs, handles retries, swaps to the configured fallback actor if the primary fails.
Poller
Reply checker
Pulls the DM inbox, tags sentiment, updates the lead pipeline.
Apify · existing store actors, with fallbacks
Store
Warm-up actor
Builds a new account's standing over 1–2 weeks before it sends. The account-safety layer.
Store
Send actor
Sends DMs on the customer's session. Primary plus a configured fallback.
Store
Engage actor
Follow, like, quote-post as sequence steps.
Store
Scraper + inbox actors
Followers, repliers, keyword search, reply reads. Mostly public data.
Gap-fill
Small custom actor
Written only if a needed function has no good store actor. Built to fit, not to replace what already works.
Supporting services
AI
Claude / GPT
Message writing and reply sentiment. ~$0.00014 a message.
Booking
Cal.com
Link dropped into a reply. Clicks and bookings tracked to the campaign.
Billing
Stripe
Subscription plus DM credits.
Email
Resend
Onboarding, receipts, session-expiry alerts.
Our extension / gap-fill Account safety + pacing Holds credentials Store actors + ordinary

What happens when one DM goes out

1

Campaign starts

500 leads become 500 queued jobs, spread over days inside the safe daily cap, not fired all at once.

2

Cap check

Is this account warmed up and inside today's conservative cap? Is the session valid? Are there credits?

3

AI writes it

Bio and recent posts go to Claude. Out comes a personalised opener the customer can pre-approve.

Send

The send actor delivers it on the customer's session, spaced like a human. Deduct a credit.

!

Or pause

Repeated failures mean pause the account, alert the customer, and hold the campaign rather than push into a lock.

4

Reply lands

The poller reads the inbox, tags sentiment, and can drop a booking link into the reply.

04 — Scope

What the $16,500 buys.

Listed precisely, so there is no argument in week eleven. Anything on the right is a change request at $95 an hour, agreed in writing before work starts.

In scope

Delivered in 13 weeks

  • Sign up and login
  • Xollo Connect extension: one-click connect, multi-account, session health, expiry alerts, one-click disconnect Ours
  • Chrome Web Store submission, privacy policy, and data disclosures Ours
  • Encrypted session vault with managed key and one-click wipe
  • Apify actor integration for every X action, each with a configured fallback actor
  • Small custom actor only if a needed function has no good store actor If needed
  • Account warm-up: a warm-up actor builds a new account's standing before it sends Safety
  • Conservative per-account daily send cap with human-like spacing and auto-pause on failure
  • Lead sourcing: followers of a handle, repliers to a tweet, keyword search, community members
  • CSV lead import
  • Lead table: search, filters, tags, and a New → Contacted → Replied pipeline
  • Sequence builder: message, wait, follow-up, plus follow / like / quote-post steps. Stops on reply.
  • AI message writing from the lead's bio and posts, edit-before-send or auto-approve
  • Reply inbox across accounts, sentiment tagging, reply from inside the app
  • Calendar booking in the reply flow: Cal.com or Calendly link, clicks and bookings tracked
  • Suppression list enforced across every campaign and account
  • Analytics: sent, replied, reply rate, bookings, account warm-up status. 30-day window.
  • Stripe billing: base fee plus DM credits, hard stop at zero
  • Admin view: all customers, usage, credit burn, accounts still warming up
Out of scope

Not in the 13 weeks

  • Firefox and Safari versions of the extension (Chrome first, others quoted separately)
  • Drag-and-drop visual workflow canvas, replaced by a form-based sequence builder
  • A/B testing and bandit-based variant optimisation
  • Team seats and shared inbox
  • LinkedIn or email as a second channel
  • Zapier, Slack and HubSpot integrations
  • Lookalike lead discovery via embeddings
  • Revenue attribution beyond booking counts
  • Public API for customers
  • White-label
  • Affiliate programme
  • Mobile app or PWA
  • Free lead-magnet tools
  • Residential proxy pools and fingerprint spoofing. Apify handles pacing and IP rotation. We are not building an anti-detect layer.
05 — Timeline

Thirteen weeks, nine milestones.

Two things sit on the critical path: the extension, because the Chrome Web Store review is outside our control, and the warm-up plus send pipeline, because account safety is the product.

Workstream W1W2W3W4W5W6W7 W8W9W10W11W12W13
Actor + session spike
M0
Wireframes + session decision
M0
Schema, auth, session vault
M1
App shell + dashboard
M1
Xollo Connect extension
M2 · BUILD
Chrome Web Store review
M2 · OUT OF OUR HANDS
Apify scraping + lead table
M3
CSV import + suppression
M3
Actor integration + fallbacks
M4
Queue + dispatcher + cap
M4
Warm-up + send pipeline
M4 · CORE
AI message generation
M4
Follow / like / quote steps
M5
Inbox, sentiment, booking
M6
Analytics dashboard
M6
Stripe billing + credits
M7
UAT, deploy, handover
M8
Critical path Code we own outright Core build Supporting work

Why the extension is built early. Chrome Web Store review takes days and can take longer if a reviewer wants changes to the privacy disclosures, which is likely given we declare authentication data. We submit in week 5 so that a rejection and resubmission still lands well before launch. If we left it to week 11, a single review round could push the whole delivery.

M0 · $1,500Week 1

Spike and session decision

Confirm the shortlisted store actors work: warm-up, send, engage, inbox. Warm a burner account for a few days and measure how the safe send cap improves. Measure how long a session survives. Draft the extension's data disclosures against Chrome's Limited Use policy. Then decide Option 1, 2 or 3.

You getA memo with real numbers: which actors we will use, a safe daily cap before and after warm-up, session lifetime, and where the session should live.
M1 · $2,000Weeks 2–3

Foundation and the vault

Login, database, app shell. The encrypted session vault with managed key, one-click wipe, and no logging of credential material anywhere in the stack.

You canLog in and see an empty dashboard that is ready for accounts.
M2 · $2,500Weeks 3–5

Xollo Connect, built and submitted

The full extension: one-click connect, multi-account, session health, expiry alerts, disconnect. Privacy policy written, data disclosures filled, submitted to the Chrome Web Store.

You canInstall the extension, click once, and see your X account live in the dashboard.
M3 · $2,000Weeks 5–7

Leads in the system

Scrape followers, repliers, keyword results and community members through Apify. CSV upload. Filterable lead table. Suppression list enforced everywhere.

You canScrape 1,000 followers of any account, filter to 1k+ followers, tag them, and load them into a campaign.
M4 · $4,000Weeks 7–9

Warm-up, actors, and the send pipeline

Wire in the store actors for warm-up, send, engage and inbox, each with a fallback. Build the queue, dispatcher and the conservative daily-cap scheduler. Warm a real account for a few days, then run a governed campaign through it. This is the biggest block, and everything downstream depends on it.

You canWarm up an account, then run a live campaign of 100 leads end to end within a safe daily cap.
M5 · $1,000Week 10

Engagement steps

Follow, like and quote-post as steps inside a sequence, running on the Engage actor, governed by the same pacing engine and failing soft.

You canBuild a "like their post, wait a day, then DM" sequence and run it.
M6 · $2,000Week 11

Replies, bookings, analytics

Replies land in one inbox across accounts, tagged by sentiment. A booking link can be dropped into a reply and the resulting booking is tracked to the campaign. Analytics show reply rate, booking rate, and account health.

You canGet a reply, send a booking link, and see the booking appear in analytics.
M7 · $1,000Week 12

Billing

Stripe subscription plus DM credits. Credits deduct per send. Campaigns hard-stop at zero. Depends on the pricing decision below.

You canBuy a plan and watch the credit counter drop as DMs go out.
M8 · $500Week 13

Live

Deployed to your domain. Extension published. UAT bugs fixed. Code, actors and runbook handed over. Two weeks of post-handover bug fixing included.

You getA working product on your URL and the repo in your GitHub org.
06 — Price

$16,500 fixed, across 13 weeks.

Fixed price, not hourly. If the estimate is wrong that is my problem, as long as the scope does not move.

MilestoneWeeksAmount
M0 — Spike and session decision1$1,500
M1 — Foundation and encrypted session vault2–3$2,000
M2 — Xollo Connect extension, built and submitted3–5$2,500
M3 — Lead sourcing and lead table5–7$2,000
M4 — Warm-up, actor integration, queue and send pipeline7–9$4,000
M5 — Follow, like and quote-post steps10$1,000
M6 — Reply inbox, calendar booking, analytics11$2,000
M7 — Stripe billing and credits12$1,000
M8 — Hardening, UAT, deploy, handover13$500
Total13 weeks$16,500

What changed from the ten-week, $12,000 version. Three weeks and $4,500 were added for two reasons. The extension is a real product in its own right, not a wrapper, and it carries a Chrome Web Store review we do not control. And the account warm-up plus fallback-actor wiring is real work: integrating several store actors, configuring a backup for each, and building the warm-up-then-cap flow that keeps customer accounts alive. We use existing actors rather than building our own, which keeps that number from being higher.

Payment schedule

30%
$4,950
On signing. Covers M0 and the start of the foundation.
40%
$6,600
On M4 sign-off, when warmed accounts are running live campaigns.
30%
$4,950
On M8 handover, with the product live and the code in your org.

Third-party running costs, which you pay directly

ServiceDuring the buildOnce live
Apify$49/mo$49–199/mo + usage
Chrome Web Store developer account$5 one-off$0
SupabaseFree$25/mo + usage
VercelFree$20/mo + usage
Worker hosting~$10/mo$10–40/mo
Anthropic or OpenAI~$20~$0.40/customer/mo
Stripe$02.9% + $0.30/charge
ResendFree$0–20/mo
Rough total~$130~$110–300/mo fixed

How we work

Weekly call30 minutes, Monday.
Milestone demosA working link at the end of every milestone. You sign off or you list changes.
Code ownershipYour GitHub org from day one. The Apify actors are published under your account, not mine.
StagingA URL you can poke at any time.
Post-handoverTwo weeks of bug fixing included. A bug means it does not do what the scope says. A new idea is a change request.
Change requests$95/hour, agreed in writing before work starts.
07 — Unit economics

This is where dropping the X API pays for itself.

Cost to serve one customer for one month, sending 100 DMs a day, which is about 3,000 a month.

Fully loaded cost per customer per month · Apify architecture
Apify compute — 3,000 DM sends
$6.00
Share of fixed infrastructure
$4.00
Stripe fee on a $79 charge
$2.59
Apify compute — reply polling
$2.00
Apify — follow / like actions
$1.00
Apify — warm-up (amortised)
$0.50
AI writing the messages
$0.42
Apify — 1,000 new leads scraped
$0.15
Total fully loaded cost per customer, per month$16.66

Compared like for like, the same customer costs about $66 a month on the official X API and about $16.66 here. Both numbers are fully loaded: sends, reply reads, infrastructure, Stripe, AI and scraping. The gap is almost entirely the send line, $45 of X API charges versus roughly $6 of Apify compute for the same 3,000 DMs. That is the entire reason this architecture exists, and it is what lets Xollo price at $79 with about an 80% margin instead of $99 with a 35% one.

Suggested pricing

Credits rather than a flat daily promise, for one practical reason: a freshly warmed account and a long-established one safely handle very different volumes. Selling credits that a customer spends at whatever rate their account can sustain is honest, and it still makes money, whereas promising a fixed "250 a day" to an account that should not send that many is a refund waiting to happen.

Starter
$29/mo
Includes 500 DMs.
Extra at $0.02.
1 X account. DMs only.
Cost ~$7 · margin ~76%
Growth
$79/mo
Includes 3,000 DMs.
Extra at $0.015.
3 accounts, engagement steps, booking links.
Cost ~$16 · margin ~80%
Scale
$199/mo
Includes 10,000 DMs.
Extra at $0.012.
10 accounts. Everything in Growth.
Cost ~$45 · margin ~77%
Agency
Custom
Unlimited accounts.
Priced at cost + 50%.
Dedicated support.
Margin 50%+
08 — Risk

What we are doing about the things that could go wrong.

This architecture is faster, cheaper and more capable than the official-API route. It is not free of risk, and I would rather write the risks down than discover them with you in week nine.

01

You become the custodian of live X sessions

If Xollo's database leaks, an attacker gets full control of every stored account, not just the ability to send spam. This is the single largest liability in the product. What we do: envelope encryption with a managed key, nothing credential-shaped ever written to a log, one-click wipe, and the hybrid session model in Section 02 so that customers who want to keep the key can. Cyber liability insurance is worth pricing before launch.

Critical
02

Customers get their X accounts suspended

Session automation breaches X's terms and enforcement lands on the customer, not on you. A customer who loses a ten-year-old account will not be quiet about it. What we do: warm the account up before it sends, hold it to a conservative daily cap with human-like spacing, and auto-pause on repeated failure rather than pushing into a lock. Plus honest marketing that does not promise safety we cannot deliver.

High
03

Chrome Web Store rejects the extension

We declare authentication data, which puts us under Google's Limited Use policy and guarantees close reviewer scrutiny. A first-pass rejection is a realistic outcome. What we do: build and submit in week 5, not week 12, so a rejection and resubmission still lands early. Privacy policy and dashboard disclosures written to match the manifest exactly, since mismatches are the most common rejection reason. Self-hosted install is the fallback if the store says no permanently.

High
04

X changes its frontend and the actors break

The store actors drive X's private endpoints. X rotates them, and a given actor can break or be abandoned by its author. This will happen. What we do: every function has a second store actor configured as a fallback, we favour actors that re-resolve endpoints at runtime, and if a gap opens with no good actor we write a small one. Budget a retainer for repairs. There is no version of this architecture where that maintenance goes away.

High over 12 mo
05

No official fallback exists

Dropping the X API means there is no Plan B if the session route becomes unworkable. The official API could not replace it anyway, since it no longer permits follow or like and would quadruple the cost. What we do: name it honestly. This is a deliberate bet on one route. It is the right bet on the numbers, and it is still a bet.

Structural
06

Apify removes or restricts these actors

They host actors like these today, so evidently they permit it. Policies change, and X could pressure them. What we do: the dispatcher is written against a generic actor interface, so swapping to a different provider, or to a small self-hosted actor, is a configuration change rather than a rebuild. That portability is the reason the dispatcher is a distinct layer.

Medium
07

Cold DMs to scraped users may breach privacy law

GDPR treats a scraped profile as personal data. Australia's Spam Act 2003 covers electronic messages broadly. Automating a logged-in session against a platform's terms is also a weaker legal position than scraping public data. What we do: nothing, because this is outside the scope of a build engagement and outside my competence. Get a lawyer's view before launch. Nothing in this document is legal advice.

Unresolved
09 — Next steps

Three decisions and we start.

Decision 1 — Where does the session live?

Option 1, 2 or 3 from Section 02. My recommendation is Option 2: local sending by default, server-side as an explicit opt-in. This decides the extension's architecture, its Chrome Web Store disclosures, and how much liability you carry. Everything in M1 and M2 depends on it.

Before week 1

Decision 2 — The pricing model

Credits or a flat DM cap. These are two different builds, not two settings on one build. M7 builds whichever you pick. My recommendation is credits, because a warmed account and a freshly connected one safely sustain very different volumes, so a flat cap becomes a promise you cannot keep for everyone.

Before week 12

Decision 3 — Accounts and access

Needed on day one: an Apify account with a paid plan, a Chrome Web Store developer account (a one-off $5), a domain, and two or three real X accounts we are allowed to warm up and test against during the M0 spike. Without a test account the spike cannot run, and week one cannot start.

Day 1, week 1

Open questions I will answer in week one, not before

How much does warm-up actually raise the safe send rate?Nobody publishes a clean number. The M0 spike warms a real account and measures the before-and-after cap. It sets the conservative default and informs the tiers.
How long does a session survive under automated load?Scraper listings claim several weeks. Under heavy use it may be far less, which changes how aggressively the extension needs to prompt for reconnection.
Will Chrome approve the extension first time?Unknowable until submitted. Building it in week 5 is how we buy room to fail once.