While online service providers are sometimes accused of forwarding identifying customer information as name and address to untrusted third parties, comparatively little attention is paid to the input data that customers provide explicitly to the service. If the input data is sensitive but the service provider is not completely trustworthy, this constitutes a serious privacy problem. From a privacy-defending point of view, the most desirable situation would be for the service not to require any kind of sensitive information at any time, while still yielding useful results for the customer. This paper presents a service architecture that allows for the use of a restricted number of services without requiring the transmission of unencrypted cu...