Security of datatyped

I have a security question. If I dont enable Data api but I have no privacy rules setup for a datatype and have no page (but only workflows that search and manipulate them). Can someone access that datatype?

So the usecase is. I have a table magic-passwords where I store the passwords of users. I also have a token datatype. When a user submits there emailadress I send them a 4 digit token by email. If they type that token correctly then I search there password in the magic-passwords tabel and log then in using workflow.

Its difficult to set privacy rules for those two tables because users are not logged in. But I dont know if anyone can query those types even if Data api is disabled

Where can I find this information?