Agree on the creepy side, though there’s other possibilities besides facial recognition, namely:
They buy data from a data broker. Said data broker bought (or got) location data from any number of apps you have installed on your phone that monitor your location data.
They associated your phone’s Wifi MAC (even if you don’t connect to their Wifi) or a bluetooth MAC (of bluetooth headphones, watch, or other device) to you previously, then saw it again
Agree on the creepy side, though there’s other possibilities besides facial recognition, namely: