There is a lot going on in this question, so I'll pick out some individual aspects. Last but not least, I'll discuss if GDPR even applies.
Does the GDPR require consent for X?
Almost always, no. Consent is only one of many legal bases of processing. A common alternative to consent is a “legitimate interest” where a balancing test is performed between this legitimate interest and your interests, rights, and freedoms. Consent is typically only appropriate if this balancing test fails, for example if you would not reasonably expect this processing activity to occur.
It's worth noting that it's a reasonably common occurrence that businesses are sold or merged. This is not unexpected. In general, you would not be required to consent to such a transfer.
What can a company do with personal data acquired through a merger/acquisition?
The GDPR does not provide explicit provisions for this case. But it might be useful to think about the two cases where (a) the new company is a continuation or successor of the original one, and (b) where the data is transferred (“sold”) to an otherwise unrelated company.
In case (a) where the business is continued as normal, there is no change.
In case (b) where data is transferred to a separate company, things are more complicated.
The original company would need a legal basis for transferring the data. But as mentioned above, there might be a legitimate interest. Arguably, such a transfer could also be based on Art 6(1)(b) if the transfer is necessary to continue to provide the service, for example if the original company would otherwise have to terminate service.
Of course, activities like data brokering where access to data is granted to unrelated third parties would generally fail to be covered by contractual necessity or a legitimate interest, and would probably need consent – but that doesn't seem to be the case here.
When a data controller (such as the new company) acquires your personal data from sources other than directly from you, then they are subject to the notice requirements in Art 14. They have to actively notify you about their processing activities. But because you received emails that mentioned the transfer, this condition might have been met.
Of course the new company continues to be bound by the purpose limitation principle as detailed in Art 6(4) – they can only use the data for purposes that are compatible with the purposes for which the data was initially collected. Thus, the new company cannot arbitrarily widen processing purposes, though some change in scope is certainly permissible.
How does the GDPR right to object and to restrict processing apply here?
The Art 21 GDPR right to object means that if the legal basis for a processing activity is a “legitimate interest”, then you can ask for an opt-out. But in some cases, this objection does not have to be granted. An objection essentially requires the controller to repeat the legitimate interest balancing test, taking into account the “grounds relating to [your] particular situation” that you provided in the objection.
The Art 18 GDPR right to restrict processing is an alternative to the right to erasure. It applies only in narrow circumstances, for example while an objection is being checked.
It is likely that you were informed about the transfer to a new company about 1 month in advance, so that you would have been able to prevent this transfer by closing your account prior to the deadline. If the new company conducts processing activities based on a legitimate interest, then their presumably GDPR-compliant privacy notice about which you were notified will certainly explain that you have a right to object.
Is the new company GDPR-compliant?
That is impossible to tell, but nothing you've shown so far indicates that they're non-compliant.
My largest issue with this story is that the new company is from Australia, a country with extraordinarily bad privacy protections (as of 2022). However, due to the way how the GDPR treats international transfers of data, this doesn't prevent Australian data controllers from being GDPR-compliant, although it does make it difficult for other companies to use services based in Australia.
Does GDPR even apply?
Whether GDPR applies to a non-European company depends only on whether they either offer goods or services to people who are in Europe (“targeting criterion”), and whether the monitor people's behavior that takes place in Europe. Factors such as your citizenship would be irrelevant.
I'll ignore the monitoring criterion, and focus on the targeting criterion. I'll assume that you are in Europe (EU/EEA or UK).
Whether a company is targeting people in Europe depends primarily on the company's intentions. It does not matter whether the service is accessible from Europe.
Thus, it is quite possible that the original company was not subject to the GDPR. Then, any questions about GDPR, consent, and data transfers are moot.
In contrast, the new company clearly mentions GDPR-compliance, which would only matter if they intend for people in Europe to use their services. So GDPR probably applies to them, giving you the full suite of GDPR data subject rights as (hopefully) outlined in their privacy notice. And as long as they notified you that they acquired your personal data in accordance of Art 14, I don't seen anything that they might have done wrong in respect to this acquisition/merger.
They often include clauses which govern this situationhere is the Terms of Service that were active in 2015-2018, before the acquisition pastebin.com/zXmCdLVQ. I don't see any explicit passage that allows reselling data. And here is the legacy privacy policy active 2018-2019 pastebin.com/T2EyX7Fb. the acquisition happened in 2017, but I didn't find any older version before 2018, probably in some or in most parts it left the same as before 2018