> In fact, the company is European and claims that their entire platform is GDPR compliant, which is... probably true?
I don't see how it is. The mere processing of my personal information (age, gender, race – doesn't matter that it's only a guess/estimate) without my explicit consent or any contractual need should already represent a violation of GDPR.
As far as I understand it's not, because GDPR concerns itself with personally identifiable data and "age/gender/race" is not identifiable in general (in context of a vending machine in a large city).
Correlate this with the date and location of the vending machine and it's not so clear anymore. GDPR is also concerned with data that could potentially be used to identify you.
I don't see how it is. The mere processing of my personal information (age, gender, race – doesn't matter that it's only a guess/estimate) without my explicit consent or any contractual need should already represent a violation of GDPR.