If statistics are considered sensitive, you can use cryptographic counters in lieu of their plaintext counterparts.
A cryptographic counter is a public string representing an encryption
of a quantity, satisfying the following properties:
1. Subjects with access to the public-key can update the encrypted counter by an arbitrary amount, by means of increment or decrement operations and without first decrypting the value (i.e., the operation is performed over encrypted data);
2. The plaintext value is hidden from all participants except the entity holding some secret key;
3. The adversary can only learn if the cryptographic counter was updated (i.e., information about whether the counter was incremented or decremented is kept hidden to all participants except the secret-key holder and the updating entity -- honest-but-curious threat model).
A cryptographic counter is a public string representing an encryption of a quantity, satisfying the following properties:
1. Subjects with access to the public-key can update the encrypted counter by an arbitrary amount, by means of increment or decrement operations and without first decrypting the value (i.e., the operation is performed over encrypted data);
2. The plaintext value is hidden from all participants except the entity holding some secret key;
3. The adversary can only learn if the cryptographic counter was updated (i.e., information about whether the counter was incremented or decremented is kept hidden to all participants except the secret-key holder and the updating entity -- honest-but-curious threat model).
An implementation is available at https://github.com/secYOUre/Encounter .