Personalized services can provide significant user benefits since they adapt their behavior to better support the user. Personalized services use a variety of data related to the user to decide their behavior. Thus personalized service needs a provisioning system that can collect the data that impacts service behavior and allows selection of the most appropriate service. However, in the coming ubiquitous environment, some data necessary for determining service behavior might be unavailable due to two possible reasons. One is that the data does not exit. The other is that the data exists but can not be accessed. For example, users do not want to disclose their personal information, and service providers do not also want to expose data related to their know-how in services. This paper describes a new service provisioning system for distributed personalization with private data protection. Specifically, the system selects applicable services by assessing how well each candidate service behaves when some data is missing. It then executes those selected services while hiding the users' and providers' private data in a distributed manner. We first summarize the requirements for a personalized service system, and introduce our fundamental policies for the system. The two main components of our system are then described in detail. One component is a service assessment mechanism that can judge if a service can work without data that can be used for adaptation. The second component is a service execution mechanism that can utilize private data while still ensuring privacy. This component divides service logic and executes divided logic where necessary data is available. The paper finally describes our prototype implementation and its performance evaluation results.