Data capsule facilitates temporal access control over the data's lifecycle by encapsulating sensitive objects and attached policies, thereby making strides in controllable data circulation. Nevertheless, when the management and ownership of the capsules are separated, the privacy protection and update flexibility of attached policies remain insufficient, thus triggering potential privilege abuse in the application of data capsules. Moreover, massive public parameters and key materials, as well as excessive computational costs, impose significant burdens on edge devices. To address the issues above, this paper proposes a self-destructive and policy-updatable access control scheme named PrivCap. It maps the attached temporal policies to mutually exclusive tree nodes and enables accurate determination of whether a time unit falls within the access range, thereby supporting the self-destructive mechanism of data capsules. Notably, PrivCap decouples token generation and capsule update, then achieves dynamic structural expansion of both access and temporal policies upon re-randomization of shares and encodes, respectively. Besides, it reduces the overhead of time keys and epoch public keys to linear complexity, while maintaining the constant-size local keys. Based on Decisional Linear Assumption, PrivCap is proven to achieve ciphertext indistinguishability under Chosen Plaintext Attack model. Through Java Pairing-Based Cryptography Library and several megabyte datasets, it is thoroughly compared with related works, demonstrating better scalability and practicality for data capsules.