Do they hold a unique token though? Here in the UK, I've definitely gotten "loyalty" offers printed with my receipt even though I've only ever used my debit card there and not a store card.

Depending on the system they can still get an account/card number. They shouldn't be storing it but...

They can certainly get cardholder names and that sort of thing though. Maybe they've figured out a way to generate a unique token based only on non-secure data.